The Postinstall Monitors Missed This
Every major npm security scanner watches postinstall scripts. It is the most obvious place to hide malicious code, and the security industry has invested years in detecting it. The Miasma variant that hit @vapi-ai/server-sdk in June 2026 did not use postinstall scripts. It used binding.gyp — the build configuration file for node-gyp, the native addon compiler.
When npm encounters a package with a binding.gyp file and no explicit install script, it automatically runs node-gyp rebuild. The Miasma variant embedded its payload execution in the binding.gyp build process. No postinstall script. No preinstall script. Nothing for conventional monitors to flag. The payload executes during the native compilation step that most security tools treat as benign build infrastructure.
57 Packages in Under Two Hours
The attack moved fast. Snyk's timeline shows 57 packages compromised with 286 malicious versions published in under two hours. The worm's lateral movement through package namespaces was automated — once it gained publish access to one package, it propagated to every package the compromised account maintained.
The primary high-value target was @vapi-ai/server-sdk, Vapi's official server-side SDK for building AI voice agents. With 408,000 monthly downloads, it sits in the dependency tree of AI infrastructure across startups and enterprises building conversational AI systems. Every CI/CD pipeline that pulled the compromised version during the attack window executed the credential harvesting payload.
Why AI SDKs Are the New High-Value Targets
The Miasma variant did not target AI SDKs by accident. AI infrastructure packages run in environments with rich credential access: API keys for model providers, cloud service accounts for GPU clusters, database credentials for vector stores, and secrets for orchestration platforms. A credential harvester in an AI SDK's dependency tree has access to a concentrated payload of high-value secrets.
Vapi's server SDK specifically runs in backend environments that manage voice AI sessions — systems that hold telephony credentials, customer data access tokens, and model provider API keys. The attack surface per compromised install is substantially larger than a typical frontend utility package.
The Credential Harvest: Everything, Everywhere
Snyk's analysis of the payload confirmed credential harvesting across npm tokens, GitHub personal access tokens, AWS credentials (~/.aws/credentials and environment variables), GCP service account JSON, Azure CLI tokens, and Kubernetes kubeconfig files. The payload also searched for .env files recursively, capturing any application-level secrets stored in environment configuration.
The breadth of credential targeting reflects the reality of modern deployment environments. A single developer workstation or CI runner typically holds credentials for multiple cloud providers, container registries, and SaaS platforms. One compromised npm install can yield access to an organization's entire cloud footprint.
The Evasion Innovation
The binding.gyp technique represents a meaningful evolution in npm supply chain attacks. Security tooling has converged on monitoring lifecycle scripts (preinstall, install, postinstall) as the primary vector. The node-gyp build hook is a blind spot — it is a legitimate, widely-used mechanism for compiling native addons, and flagging every package with a binding.gyp file would generate unmanageable false positives.
Vapi's incident response team confirmed the compromised versions were removed and clean versions republished. The company issued credential rotation guidance for all users who installed the affected versions. But the detection gap remains: as of June 2026, most npm security scanners still do not inspect binding.gyp files for embedded payload execution.
For organizations building on JavaScript frameworks, the Phantom Gyp variant adds another dimension to supply chain risk assessment. Dependency auditing tools that focus on lifecycle scripts provide incomplete coverage. The attack surface includes build hooks, native compilation steps, and any mechanism that triggers code execution during npm install. The number of such mechanisms in the npm ecosystem continues to grow.


