How 56 npm packages used binding.gyp to steal CI/CD secrets

Over a ten-hour window on June 3–4, 2026 an attacker pushed 286 malicious npm package versions across 56 packages by embedding a binding.gyp that forced node-gyp to execute a large, multi-stage encrypted payload at install time; the malware targeted CI/CD runners to harvest credentials and secret files, exfiltrated data to attacker-controlled GitHub repositories, established persistent update and dead-man-switch monitors (including a destructive handler that deletes home directories when stolen GitHub tokens are revoked), and implemented worm-like propagation to republish trojanized packages and inject workflow steps. Recommended actions include isolating affected systems before revoking credentials, rotating all exposed tokens and keys, scanning for binding.gyp in pure-JS packages and unusually large index.js files, and enabling 2FA on npm accounts.