Miasma Worm Hits AI SDKs in npm Supply Chain Attack
A new Miasma worm wave hit popular AI SDKs on npm, including Vapi and ai-sdk-ollama.
A new wave of the Miasma npm campaign recently swept the registry, and it landed on two of the most widely used AI packages in the ecosystem. The targets are the story.
Researchers at StepSecurity traced this wave to a self-spreading variant of the Shai-Hulud worm. In under two hours it poisoned 57 packages across more than 286 malicious versions. The two biggest names on the list are AI SDKs: @vapi-ai/server-sdk, the official Vapi voice AI server SDK with over 408,000 monthly downloads, and ai-sdk-ollama, with more than 120,000.
That should get every AI team's attention.
The attack runs before your app does
Most developers still picture a dependency as dangerous only once their code imports it. That model is outdated.
Modern npm malware does not wait for your app to call it. It executes during installation.
Earlier Miasma waves used obvious lifecycle hooks like preinstall, which most scanners watch for. This wave uses a quieter path that StepSecurity calls "Phantom Gyp." It hides execution inside binding.gyp, a file normally tied to native Node.js modules, and triggers it through node-gyp rebuild. Shell command expansion during that build step silently runs the malicious code.
The package can look cleaner than it is, because the dangerous behavior is not sitting in the usual package.json install script. For tools that mainly flag lifecycle hooks, that is a blind spot. For developers who assume npm install is harmless, it is worse. No CVE has been assigned either, so scanners that wait for advisories see nothing at all.
Why AI packages make rich targets
AI products are valuable because they sit close to sensitive data.
A voice AI SDK touches call flows, transcripts, customer identifiers, API keys, webhook secrets, and backend credentials. An Ollama wrapper runs inside local inference workflows, internal prototypes, developer machines, and agent tooling. Those environments are full of .env files, GitHub tokens, cloud credentials, npm tokens, SSH keys, and CI/CD secrets.
That is exactly what this malware collects. Once installed, it sweeps local and cloud credentials, hunts for developer secrets, and pushes the stolen data into attacker-controlled GitHub repositories tagged "Miasma: The Spreading Blight."
Then it spreads. If the payload finds npm publishing rights or GitHub write access, it can poison more packages and republish itself across everything the compromised identity can touch. One infected laptop becomes the seed for a much larger incident.
What AI builders should take from this
AI teams move fast. They pull in new SDKs, model wrappers, agent frameworks, and inference tools every week, most with tiny maintainer teams. That is a near-perfect attack surface.
So treat every package that runs during install as code execution, and every new version as untrusted until verified. At a minimum: pin versions, review lockfile changes, watch for install scripts and binding.gyp usage, rotate secrets after anything suspicious, and keep broad cloud credentials out of local and CI environments.
The blast radius is wider for AI products, because one app can touch user data, model credentials, payment systems, and live agent workflows. That is why a black-box audit of how your app handles those dependencies and secrets beats any checklist. It is the kind of work we do at VibeAudits for vibe-coded apps and AI agent deployments.
Miasma is the clearest signal yet that the AI supply chain has become an easy place to hide malware. Developers trust the packages that help them ship faster, and attackers are counting on exactly that.