Miasma Phantom Gyp Worm Hits npm Supply Chain

This week, a supply chain attack, named "Miasma," spread through the npm registry. Concurrently, a zero-day in Cisco SD-WAN environments was exploited. This "Miasma" campaign, a descendant of the "Shai-Hulud" worm family and meticulously tracked by Snyk as the Node-gyp Supply Chain Compromise - June 2026, uses a new "Phantom Gyp" technique for code execution during npm install. By weaponizing binding.gyp files, it bypasses traditional script-focused security controls.

The attack has impacted 57 distinct npm packages and hundreds of their malicious versions, including high-traffic targets like @vapi-ai/server-sdk, which logs approximately 86,500 weekly downloads, and ai-sdk-ollama, with around 36,900 weekly downloads. Its primary objective is extensive credential theft across npm, GitHub, AWS, GCP, Azure, HashiCorp Vault, and Kubernetes, coupled with self-propagation across npm and RubyGems ecosystems. This incident shows an increase in software supply chain threats, using complex evasion and persistence mechanisms.

Cisco also issued a warning about CVE-2026-20245, a high-severity, unpatched zero-day in its Cisco Catalyst SD-WAN Manager, actively exploited for root privilege escalation. These varied, impactful incidents, spanning from important developer environments to government and humanitarian organizations, demonstrate the persistent and varied nature of current cyber threats across diverse sectors.

How does the "Phantom Gyp" technique enable code execution?

The "Phantom Gyp" technique, central to the Miasma supply chain worm, enables arbitrary code execution during npm install by exploiting binding.gyp files, without relying on preinstall or postinstall lifecycle scripts. This method exploits node-gyp, which npm invokes for native C/C++ addons, a process often overlooked by script-focused security tooling. The attack uses GYP's command expansion syntax, , which executes embedded shell commands during the build configuration phase.

Compromised packages like @vapi-ai/server-sdk@1.2.2 and autotel@3.4.3 shipped a 157-byte binding.gyp containing /dev/null 2>&1 && echo stub.c). This command executes node index.js during node-gyp's configuration, with "type": "none" preventing actual compilation and ensuring the command's side effect is the sole objective. The index.js file is a 4.5 MB obfuscated loader, initially decrypted via ROT-14 Caesar cipher and AES-128-GCM. It then downloads a standalone Bun v1.3.13 binary from oven-sh/bun releases, executing a ~649 KB stealer payload under this new binary. This Bun execution evades Node.js-scoped monitoring.

The payload harvests credentials from developer and CI/CD environments, targeting:

  • AWS: aws_access_key_id / aws_secret_access_key, and IMDSv2 metadata endpoint.
  • GCP: GOOGLE_APPLICATION_CREDENTIALS and service account keys.
  • Azure: managed identity tokens via IMDS.
  • GitHub Actions: ACTIONS_ID_TOKEN_REQUEST_TOKEN plus runner process memory scraping for masked secrets.
  • HashiCorp Vault and Kubernetes: service account tokens from standard paths.
  • Password managers: 1Password, pass, and gopass.

Exfiltration occurs through attacker-controlled GitHub repositories, notably linked to the GitHub account liuende501, which maintains over 300 public repositories used as dead drops. This method blends malicious traffic with legitimate GitHub activity.

How does the Miasma worm propagate across ecosystems?

The Miasma worm is designed for self-propagation across multiple software ecosystems, demonstrating a varied approach to achieve widespread compromise. The npm worm component enumerates a compromised maintainer's packages via registry.npmjs.org/-/v1/search, injects the malicious binding.gyp and index.js files, and republishes the infected versions. A key characteristic is the forging of Sigstore provenance attestations through Fulcio and Rekor, making reinfected packages appear legitimately signed and aiding evasion.

Cross-ecosystem reach is evident with the RubyGems worm, which injects equivalent malicious logic into extconf.rb, RubyGems' native-extension build hook. This file functions similarly to binding.gyp by executing automatically at build time, sidestepping "script"-focused monitoring. Both npm and RubyGems variants reuse the Bun downloader for payload execution. This consistent strategy targets build-time extension files, which are not typically classified as lifecycle scripts.

Persistence is also achieved through GitHub repository poisoning. Using stolen GitHub tokens, the payload commits backdoor files into accessible repositories. These backdoors are placed within configurations for development tools and AI coding agents, such as .claude/, .cursor/rules/, and .vscode/tasks.json. Specifically, tasks.json entries may be configured with runOn": "folderOpen", ensuring that the payload re-executes whenever a developer opens the project in their integrated development environment. This mechanism ensures long-lived persistence, surviving even npm uninstall. This campaign, part of the Shai-Hulud / Miasma lineage, consistently introduces new techniques for evasion, persistence, and execution.

Which Cisco SD-WAN zero-day is actively exploited?

Cisco has issued a warning regarding CVE-2026-20245, a high-severity, unpatched zero-day vulnerability actively exploited in Cisco Catalyst SD-WAN Manager to achieve root privilege escalation. The flaw stems from insufficient input validation, enabling local attackers with low privileges to execute arbitrary commands as the root user. Exploitation typically requires prior netadmin privileges, which attackers may gain through valid credentials or by exploiting existing Cisco SD-WAN vulnerabilities such as CVE-2026-20182 or CVE-2026-20127. Google Cloud's Mandiant reported the flaw, leading to Cisco's awareness in June 2026. The company has observed limited cases where exploitation resulted in configuration changes pushed to edge devices.

The affected Cisco Catalyst SD-WAN Manager, formerly SD-WAN vManage, is network management software overseeing up to 6,000 Catalyst SD-WAN devices. The vulnerability impacts all deployment types: On-Prem, Cloud-Pro, Cloud (Cisco Managed), and Government (FedRAMP). While patches for CVE-2026-20245 are unavailable, Cisco advises upgrading to versions fixing earlier vulnerabilities. For example, fixes for CVE-2026-20182 were released May 14, 2026, as detailed in Cisco SD-WAN Zero-Day AI May 15.

This incident extends a pattern of exploited Cisco SD-WAN zero-days. CVE-2026-20133, an information disclosure flaw, was flagged by CISA as exploited since 2023. Subsequently, CVE-2026-20128 and CVE-2026-20122 were also found under active abuse. Indicators of compromise (IOCs) for CVE-2026-20245 include specific log entries in /var/log/scripts.log, such as /usr/bin/vconfd_script_upload_tenant_list.sh -cli path /home/admin/malicious.csv vpn 0, indicating attempts to upload tenant configuration data for privilege escalation.

What data was exposed in the UN World Food Programme breach?

The United Nations' World Food Programme (WFP) is investigating a security incident that compromised personal information from approximately 600,000 Palestinian households in Gaza. This data, collected via the WFP's Self-Registration Application (SRA) used exclusively in Palestine for humanitarian assistance, included names, identification numbers, phone numbers, and detailed neighborhood location information. The breach occurred on May 14, 2026.

Upon discovering the intrusion, the WFP promptly suspended the SRA platform, initiated containment efforts, and strengthened security controls. While "unauthorized parties" accessed the data, their identity and specific attack methods remain undisclosed. As the world's largest humanitarian organization, providing aid to about 1.6 million people in Gaza monthly, the WFP handles highly sensitive data for vulnerable populations. This compromise poses significant privacy and security risks, including potential for identity theft or further targeting, within an already volatile region. The investigation continues, with no public confirmation yet of whether the exposed information has been leaked or misused beyond initial unauthorized access.

How are Chinese intelligence services recruiting insiders via job platforms?

The Five Eyes intelligence partnership (ASIO, CSIS, FBI, MI5, NZSIS) issued its first joint bulletin on June 4, 2026, warning of extensive recruitment by China's military intelligence services. These services are using online job platforms, often through front companies outside China, to target individuals with access to sensitive information. Targets include government and military personnel (especially those with security clearances or in the Indo-Pacific), academics, journalists, and think tank employees. Chinese intelligence officers pose as recruiters for private consultancies, advertising roles like foreign-policy analysts to attract applicants with valuable connections or insights.

Recruitment now emphasizes applicants responding to job ads, with résumés ranked by likely access to sensitive data. Virtual interviews probe government contacts or military roles. Successful candidates write trial reports on topics of strategic interest to China, then are directed to provide privileged material via encrypted messaging. Payments, ranging from hundreds to thousands of dollars per report, often use unconventional methods.

The bulletin, "Safeguarding Our Secrets," emphasizes that even unclassified information on government policy, military strategy, or different capabilities can be combined to form a full operational picture. This aggregated intelligence can endanger frontline personnel, weaken economic prosperity, and enable interference in democratic processes. China's Ministry of Foreign Affairs denounced the allegations as "fabricated and malicious slander," asserting that Five Eyes members are the "real threat" with their own global intelligence operations.

Technical Takeaways

  • The Node-gyp Supply Chain Compromise uses the new "Phantom Gyp" technique, executing malicious code via binding.gyp files during npm install, bypassing traditional preinstall/postinstall script monitoring.
  • This npm worm, a descendant of the Shai-Hulud / Miasma family, employs a multi-stage, obfuscated loader that downloads and executes a standalone Bun binary for its core credential-stealing operations.
  • The worm exfiltrates stolen credentials (npm, GitHub, AWS, GCP, Azure, HashiCorp Vault, Kubernetes, password managers) to attacker-controlled GitHub repositories and achieves persistence through GitHub Actions injection and editor/AI agent hooks.
  • CVE-2026-20245, a high-severity, unpatched zero-day in Cisco Catalyst SD-WAN Manager, is actively exploited for root privilege escalation, requiring prior netadmin access or exploitation of other Cisco SD-WAN vulnerabilities.
  • The UN World Food Programme's Self-Registration Application (SRA) experienced a breach exposing names, identification numbers, phone numbers, and location data of approximately 600,000 Palestinian households in Gaza.
  • The Five Eyes intelligence alliance warns that Chinese military intelligence services are using online job platforms to recruit individuals with access to sensitive information by posing as legitimate recruiters for front companies.