Researchers identified an active supply chain attack affecting multiple npm packages that leverages a novel abuse of the binding.gyp build mechanism to execute malicious code during package installation. Unlike traditional npm supply chain attacks that rely on preinstall or postinstall scripts, this campaign uses a malicious binding.gyp file to trigger code execution through node-gyp, bypassing many existing security controls and package review processes.
The attackers compromised npm maintainer accounts and published malicious package versions containing a small binding.gyp file. During package installation, npm automatically invokes node-gyp, which executes attacker-controlled commands embedded within the sources array through shell expansion functionality.
Unlike traditional supply chain attacks, the affected packages contain no suspicious preinstall or postinstall scripts. Instead, the malicious code is triggered through a lightweight binding.gyp file that launches an obfuscated JavaScript payload during installation.