All Insights

Two npm Worms Hit AI Developer Tooling This Week — One Uses a Technique Your Security Tooling Ignores

CivSafe Team·June 8, 2026·6 min read

Two separate npm supply chain attacks landed this week. Most coverage focused on the technical details. The part that matters for your team is simpler: both campaigns specifically targeted AI developer tooling, and one used a technique designed to slip past the security controls most teams have in place.

If you build anything with Node.js and AI integrations — voice agents, chatbots, API wrappers, workflow automation — keep reading.

What happened

Miasma's second wave started June 3rd at 23:30 UTC. You may have seen coverage of the first Miasma wave that hit 32 Red Hat npm packages on June 1st. The second wave was different in scale and in target.

The attacker compromised @vapi-ai/server-sdk — Vapi's official server SDK for building voice AI applications, with 408,000+ monthly downloads — and used it as Patient Zero. Within 90 minutes, 57 packages and 286 malicious versions were published across multiple maintainer accounts. The hit list included ai-sdk-ollama (120,000+ monthly downloads), and dozens of utility packages in the autotel, awaitly, and node-env-resolver families.

Every compromised package did the same thing: downloaded a Bun runtime, ran an obfuscated payload, harvested GitHub tokens, CI/CD secrets, and cloud credentials, then exfiltrated everything to a GitHub dead-drop account before replicating into any other packages the compromised maintainer account could publish.

Safe versions: @vapi-ai/server-sdk at 0.11.0 or earlier. ai-sdk-ollama at 0.13.0 or earlier.

IronWorm was reported June 4-5th. A different threat actor, different target list — 37 packages published through the compromised asteroiddao npm account. IronWorm is more technically sophisticated: a 976KB Rust binary with an embedded eBPF rootkit that hides its own processes from defenders, command-and-control over Tor, and an explicit credential sweep of 86 environment variables and over 20 credential file paths.

The IronWorm target list reads like a checklist of tools small AI teams run: AWS, GCP, Azure, Vault, Kubernetes, GitHub, Docker, npm — and every major 2026 AI provider API key. OpenAI, Gemini, Cohere, Mistral, Groq, Perplexity, xAI. The full stack, enumerated by name.

The part your security tools probably missed

Most teams checking for supply chain risk use some combination of npm audit, Dependabot, or Socket. All of them work by scanning package.json lifecycle scripts — the preinstall, postinstall, and install hooks that npm executes automatically.

Miasma's second wave didn't use any of those.

Instead, it used a 157-byte binding.gyp file. When node-gyp sees a binding.gyp in a package, it compiles native C++ extensions as part of the build process. The attacker exploited this as a command substitution point — a way to run arbitrary shell commands during npm install that doesn't touch the lifecycle scripts that security tools monitor.

Security researchers named it "Phantom Gyp" because it hides in plain sight. The dist/ code in every compromised package was completely untouched and legitimate. Nothing in package.json was modified. Your lockfile would show a valid-looking package at a valid-looking version. Scanning for malicious lifecycle hooks turns up nothing.

A 157-byte binding.gyp is all it takes.

Why this matters for small AI teams specifically

Large enterprises usually have centralized package management, internal registries, and dedicated security teams watching for this. Your team probably doesn't. You're pulling directly from npm, running npm install in CI environments where install-time execution is entirely normal, with API keys and cloud credentials sitting in environment variables because that's how your integrations connect.

Both attacks were built for exactly that environment.

The AI key angle is worth sitting with. IronWorm explicitly enumerates AI provider API key patterns in its sweep. That's not accidental. Small teams building AI applications often carry API keys with meaningful monthly spending limits, and cloud credentials with enough permissions to spin up compute or access data storage. The credential haul from an AI development environment is more valuable than a typical web app stack.

If you've installed Vapi's server SDK or ai-sdk-ollama — or any of the other 55 affected packages — since June 3rd without pinned versions, your credentials have been exfiltrated. At this point the mitigation isn't auditing. It's rotation.

What to do right now

Check which versions are installed:

npm list @vapi-ai/server-sdk ai-sdk-ollama

If you see @vapi-ai/server-sdk at any version above 0.11.0, or ai-sdk-ollama above 0.13.0, and these were installed between June 3rd and June 6th, treat the environment as compromised.

For IronWorm: Review your package.json and lockfile for any packages published through the asteroiddao npm account. JFrog Security Research published the full affected package list.

Rotate everything from affected environments. Don't try to figure out exactly what was accessed. Assume it all was:

  • All AI provider API keys (these were the explicit target)
  • GitHub personal access tokens and deploy keys
  • AWS/GCP/Azure service account credentials
  • npm access tokens
  • Any values in .env files present during the install

Lock your versions going forward. This is the most important change. A range like "@vapi-ai/server-sdk": "^0.12.0" is what allows malicious patch releases to reach you. Pin to exact versions. Use npm ci instead of npm install in CI pipelines. Use npm install --ignore-scripts when evaluating packages you don't yet trust.

Add Phantom Gyp detection to your pipeline. Most existing tools won't catch the binding.gyp technique. Chainguard published detection signatures for this specific pattern. Incorporate them now, before the next variant arrives with a slightly different implementation.

The pattern worth naming

This is the third significant npm/PyPI supply chain attack on AI tooling in six weeks. LiteLLM in March. PyTorch Lightning on April 30th. Now Miasma and IronWorm landing in the same week, both explicitly going after AI developer credentials.

The AI tooling ecosystem grew extremely fast. Libraries went from side projects to critical infrastructure in under two years, and security practices haven't kept pace. Pinning versions, scanning installs, rotating credentials on compromise — these aren't advanced practices. They're table stakes. But they're not standard in most small teams yet.

Attackers know this. An AI development environment is a high-value target: API keys with spending limits, cloud credentials with compute access, GitHub tokens with repository access. The npm registry is worth compromising again and again as long as teams keep pulling unpinned packages in unscanned pipelines.

The fix isn't complicated. But knowing what's actually running in every environment your team uses — which version of which package in which CI runner — is harder than it sounds.


That's exactly the gap we help close, usually in a half-day before anything goes wrong. Get in touch.

CivSafe — Strategic Innovation. Community Impact.