A supply chain attack targeting the npm ecosystem has compromised dozens of packages across multiple maintainer accounts, using the binding.gyp package — a core build configuration component for native Node.js addons — as the initial compromise vector. The attack follows the pattern of the TanStack, Nx Console, and Laravel-Lang supply chain attacks covered in previous reports, indicating a sustained campaign against the software supply chain through compromised maintainer credentials.

What Is the Vulnerability?

This is an active supply chain compromise, not a software vulnerability. Attackers gained access to npm maintainer accounts and published malicious versions of packages that depend on or are related to binding.gyp — the build configuration file format used by node-gyp to compile native C/C++ addons for Node.js. The binding.gyp format is a fundamental component of the Node.js native module ecosystem, used in thousands of packages that require compiled code.

By compromising maintainer accounts, attackers were able to publish malicious package versions directly to the npm registry under trusted identities. Developers who installed or updated these packages during the compromise window unknowingly pulled malicious code into their projects. The malicious payloads can include credential stealers, backdoors, cryptocurrency miners, or data exfiltration code that executes during npm install scripts or at application runtime.

This is the fifth major npm supply chain attack covered in the Vulnerability Intelligence Reports — following TanStack (84 malicious versions across 42 packages on May 11), Nx Console (malicious version 18.95.0 on May 19), Laravel-Lang (700 malicious versions across 4 packages on May 22-23), and Megalodon (5,718 malicious commits to 5,561 GitHub repositories on May 18). The frequency and scale of these attacks indicate a coordinated, sustained campaign targeting the software supply chain.

• Type: Supply chain compromise — compromised maintainer accounts
• Vector: Malicious package versions published to the npm registry
• Impact: Credential theft, backdoor installation, data exfiltration in affected build environments

Which Packages Are Affected?

Dozens of npm packages across multiple maintainer accounts. The attack originated through the binding.gyp package but spread to other packages maintained by the compromised accounts. Developers should check npm audit output and the npm advisory for the specific list of affected packages and malicious version ranges.

Is It Being Exploited in the Wild?

Yes — this is an active supply chain attack. The malicious packages were published to the public npm registry and were available for installation by any developer or CI/CD pipeline during the compromise window. If your project pulled any of the affected packages during this period, the malicious code is present in your application and build environment.

What Is the Fix?

Immediate actions for all development teams:

• Audit your dependency tree. Check package-lock.json or yarn.lock for any of the affected packages. Run npm audit to flag known-malicious versions.
• Pin dependencies to known-good versions. Update to patched (clean) versions of affected packages. If a clean version is not yet available, temporarily remove the dependency or pin to a version published before the compromise window.
• Rotate all credentials. If a malicious package was installed in any environment — including local development, CI/CD pipelines, or production builds — rotate all credentials accessible from that environment: npm tokens, GitHub tokens, CI/CD secrets, cloud API keys, database credentials, and environment variables.
• Audit build logs. Review CI/CD build logs for unusual network requests, unexpected file writes, or command executions during the npm install phase that occurred while malicious package versions were present.

Recommendations

Audit all npm dependencies today. This is the fifth major npm supply chain attack this year. Every development team should treat dependency auditing as a mandatory, recurring security practice — not a one-time response to incidents.

Implement supply chain security controls:

• Enable npm package signing and integrity verification in your CI/CD pipeline
• Use lock files consistently and commit them to version control
• Pin dependencies to exact versions — avoid version ranges that automatically pull new releases
• Deploy a package allowlisting solution that prevents installation of packages not explicitly approved
• Monitor npm advisory databases and configure automated alerts for newly flagged malicious packages
• Consider using a private npm registry or proxy that caches audited package versions

Review maintainer account security. If you maintain any npm packages, enable two-factor authentication (2FA) on your npm account immediately. The sustained pattern of compromised maintainer accounts suggests that attackers are specifically targeting maintainers with weak or absent 2FA.

References

• CybersecurityNews: binding.gyp Supply Chain Attack
• npm Security Advisories
• Vulnerability Intelligence Report — June 5, 2026

---

This advisory was first covered in the broader Vulnerability Intelligence Report — June 5, 2026. For a comprehensive view of all active threats, refer to the full report.