New npm Worm 'Miasma' Bypasses --ignore-scripts Defense via Phantom Gyp Trick

A sophisticated npm worm called Miasma has emerged in early June, introducing a technique known as Phantom Gyp that renders the widely trusted --ignore-scripts defense ineffective. Attackers embed a malicious binding.gyp file inside published npm tarballs, exploiting the node-gyp native binding process to execute attacker-controlled shell payloads during the package configuration phase. The threat follows closely after the TanStack CI cache poisoning incident and is part of a broader wave of supply chain worms analyzed in a report covering six active campaigns. Separately, UC Santa Barbara researchers have published findings showing that third-party LLM API routers can silently rewrite in-flight tool-calling requests, enabling payload swaps or API key theft. Security experts are urging developers to reassess how agentic AI tools and third-party LLM routing layers are deployed in production environments.
This is an AI-generated summary. ShortSingh links to the original source for the complete article.
Discussion (0)
Log in to join the discussion and vote.
Log in