Skip to content
Security & Trust

Phantom Gyp: AI SDK With 408K Downloads Targeted by Miasma Variant

Miasma variant uses node-gyp build hooks to evade monitoring, hitting @vapi-ai/server-sdk and 57 packages in under 2 hours.

· 6 min read
Share on X LinkedIn
Phantom Gyp: AI SDK With 408K Downloads Targeted by Miasma Variant

The Postinstall Monitors Missed This

Every major npm security scanner watches postinstall scripts. It is the most obvious place to hide malicious code, and the security industry has invested years in detecting it. The Miasma variant that hit @vapi-ai/server-sdk in June 2026 did not use postinstall scripts. It used binding.gyp — the build configuration file for node-gyp, the native addon compiler.

When npm encounters a package with a binding.gyp file and no explicit install script, it automatically runs node-gyp rebuild. The Miasma variant embedded its payload execution in the binding.gyp build process. No postinstall script. No preinstall script. Nothing for conventional monitors to flag. The payload executes during the native compilation step that most security tools treat as benign build infrastructure.

57
Packages Compromised
Source: Snyk, Miasma variant analysis, June 3, 2026

57 Packages in Under Two Hours

The attack moved fast. Snyk's timeline shows 57 packages compromised with 286 malicious versions published in under two hours. The worm's lateral movement through package namespaces was automated — once it gained publish access to one package, it propagated to every package the compromised account maintained.

The primary high-value target was @vapi-ai/server-sdk, Vapi's official server-side SDK for building AI voice agents. With 408,000 monthly downloads, it sits in the dependency tree of AI infrastructure across startups and enterprises building conversational AI systems. Every CI/CD pipeline that pulled the compromised version during the attack window executed the credential harvesting payload.

408,000
@vapi-ai/server-sdk Monthly Downloads
Source: npm registry statistics, June 2026

Why AI SDKs Are the New High-Value Targets

The Miasma variant did not target AI SDKs by accident. AI infrastructure packages run in environments with rich credential access: API keys for model providers, cloud service accounts for GPU clusters, database credentials for vector stores, and secrets for orchestration platforms. A credential harvester in an AI SDK's dependency tree has access to a concentrated payload of high-value secrets.

Vapi's server SDK specifically runs in backend environments that manage voice AI sessions — systems that hold telephony credentials, customer data access tokens, and model provider API keys. The attack surface per compromised install is substantially larger than a typical frontend utility package.

286+
Malicious Versions Published
Source: Snyk, Miasma variant package audit, June 2026

The Credential Harvest: Everything, Everywhere

Snyk's analysis of the payload confirmed credential harvesting across npm tokens, GitHub personal access tokens, AWS credentials (~/.aws/credentials and environment variables), GCP service account JSON, Azure CLI tokens, and Kubernetes kubeconfig files. The payload also searched for .env files recursively, capturing any application-level secrets stored in environment configuration.

The breadth of credential targeting reflects the reality of modern deployment environments. A single developer workstation or CI runner typically holds credentials for multiple cloud providers, container registries, and SaaS platforms. One compromised npm install can yield access to an organization's entire cloud footprint.

npm, GitHub, AWS, GCP, Azure, K8s
Credential Types Targeted
Source: Snyk, payload deobfuscation analysis, June 2026

The Evasion Innovation

The binding.gyp technique represents a meaningful evolution in npm supply chain attacks. Security tooling has converged on monitoring lifecycle scripts (preinstall, install, postinstall) as the primary vector. The node-gyp build hook is a blind spot — it is a legitimate, widely-used mechanism for compiling native addons, and flagging every package with a binding.gyp file would generate unmanageable false positives.

Vapi's incident response team confirmed the compromised versions were removed and clean versions republished. The company issued credential rotation guidance for all users who installed the affected versions. But the detection gap remains: as of June 2026, most npm security scanners still do not inspect binding.gyp files for embedded payload execution.

For organizations building on JavaScript frameworks, the Phantom Gyp variant adds another dimension to supply chain risk assessment. Dependency auditing tools that focus on lifecycle scripts provide incomplete coverage. The attack surface includes build hooks, native compilation steps, and any mechanism that triggers code execution during npm install. The number of such mechanisms in the npm ecosystem continues to grow.

Under 2 hours
Attack Duration
Source: Snyk, Miasma variant timeline reconstruction, June 2026
Share this insight