binding.gyp: An npm Supply Chain Attack That Spreads Like a Worm

A self-replicating worm is spreading across the npm registry using binding.gyp files to execute malicious code during npm install operations. The attack bypasses conventional security tools by avoiding package.json scripts and instead leverages binding.gyp files which trigger automatic code execution. The worm has successfully compromised dozens of npm packages across multiple maintainer accounts. This supply chain attack spreads autonomously like a worm, making it particularly dangerous for the JavaScript ecosystem. The attack demonstrates a novel technique that security tools are not currently detecting effectively.