New Self-Propagating npm Worm Exploits node-gyp to Compromise Node.js Supply Chain

A new self-propagating npm worm exploits the binding.gyp file to execute malicious code during package installation by triggering node-gyp, bypassing traditional lifecycle scripts. The attack steals credentials, persists within GitHub repositories, and spreads autonomously across maintainers' accounts. The compromise targets the Node.js supply chain, leveraging node-gyp—a tool used for compiling native addon modules—to execute arbitrary code without explicit user awareness. No specific CVEs, dates, or victim counts were disclosed in the reported incident. The primary impacts include credential theft, unauthorized repository access, and lateral movement within development environments.