Phantom Gyp binding.gyp Abuse
discovered 2026-06-24Attacker places binding.gyp at package root with command expansion '<!(node index.js > /dev/null 2>&1 && echo stub.c)' in the sources field. npm falls back to node-gyp rebuild which executes the command before lifecycle script scanners fire. Used identically to Wave 2 (June 3) and Wave 4 (June 24).