A self-replicating worm is spreading through the npm registry via a new technique involving a 'binding.gyp' file, which silently triggers malicious code during installation without being detected by traditional security tools. The worm, identified by StepSecurity, extracts credentials from various platforms (like GitHub and AWS) and injects malicious code into other packages, propagating its reach across multiple compromised accounts.
Unlike typical attacks that rely on npm hooks, this method leverages 'node-gyp' to execute code without apparent scripts, thereby bypassing scrutiny. The situation is evolving, with numerous packages already compromised as of early June 2026.