Docker Security Dispatch - Issue 4: Miasma, Phantom Gyp, and AI Routing šŸŖ±ļø
DEV Community

Docker Security Dispatch - Issue 4: Miasma, Phantom Gyp, and AI Routing šŸŖ±ļø

Welcome to the fourth issue of Docker Security Dispatch, written from the beautiful city of Bratislava, Slovakia. June has proven that the security battleground has shifted from the production server to the developer's workstation, the CI/CD pipeline cache, and the AI agent's execution context. Supply chain worms are evolving to bypass the most trusted industry defenses, and new research has exposed critical flaws in the AI routing layer.

Key Takeaways

  • Miasma & Phantom Gyp: The latest wave of npm worms bypasses the --ignore-scripts defense using native binding.gyp command substitution.
  • Malicious AI Routers: Understanding the implications of the "Your Agent Is Mine" research, which reveals how third-party LLM APIs alter in-flight tool-calling requests.
  • Agentic Remediation: New insights on safely scaling agentic AI in production environments.
  • Upcoming Events & Releases: Details on my upcoming WeAreDevelopers World Congress sessions, a new talk at BaselOne, and a special comic book announcement.

🪱 The Evolution of Worms: Miasma and Phantom Gyp

If you need a refresher on worms, perhaps take a look at my talk notes from EnterJS 2026: Defense Against the Dark Arts: NPM Attack. Just as the community began remediating the fallout from the TanStack CI cache poisoning, a highly sophisticated descendant emerged.

In early June, the Miasma worm debuted a terrifying evasion technique dubbed "Phantom Gyp". For years, the standard advice for preventing malicious package execution during installation has been to run npm install --ignore-scripts. Miasma renders this control entirely ineffective. The attackers embedded a tiny binding.gyp file inside the published tarballs. Because package managers must process native bindings via node-gyp before the C++ compiler is invoked, the malware uses command substitution to force the evaluation of an attacker-controlled shell payload during the configuration phase.

I've put together a comprehensive analysis of the recent worm campaigns tearing through the ecosystem. You can read my full breakdown of the 6 worms here: Beyond SLSA: The Worms Are Here. Also, I gave Phantom Gyp a special treatment, "composing" music for it: Phantom Gyp Music.

šŸ¤– The AI Supply Chain & Production-Safe Remediation

This month, I'm also poking my finger into academic research. This section is about a research paper titled "Your Agent Is Mine: Measuring Malicious Intermediary Attacks on the LLM Supply Chain" by Hanzhi Liu et al. from UC Santa Barbara (Liu et quinque plures homines, as they say in Latin). The paper explores the security implications of using third-party LLM APIs in production environments.

LLM API routers are basically a part of the transport layer that sits between your code and the LLM. They are responsible for routing requests to the appropriate model, handling retries, and managing rate limits. However, these routers have plaintext access to in-flight JSON payloads, which means that, if compromised, they can silently rewrite an LLM's output. A benign installation URL generated by an LLM can be swapped for a malicious script, or an API key can be seamlessly exfiltrated.

To safely utilize these tools, we must rethink how we deploy them. I recently co-authored a deep dive on this exact topic that was featured on the main page of DZone! Check it out here: Building Production-Safe Agentic Remediation With Docker MCP Gateway: Lessons From 43% to 100% Accuracy.

šŸŽ™ļø Recent Talks & Catch-Ups

If you missed my recent conference appearances, the write-ups and recordings are now available:

  • EnterJS 2026: Defense Against the Dark Arts: NPM Attack
  • JRush: I recently joined the JRush livestream for a great discussion on the current threat landscape. Watch the replay on YouTube here.

šŸ“… Upcoming Events: Berlin & Basel

The conversation regarding advanced supply chain security will continue next month in Berlin at the WeAreDevelopers World Congress. I have a packed schedule, and I’d love to see you there:

  • July 8 (Pre-conference meetup): Agentic AI in the Wild: What Actually Runs in Production – I'm co-organizing this event alongside Dana Fine and Zaid Zaim. We have a fantastic lineup of speakers, including Ana-Maria Mihalceanu.
  • July 9 (Conference workshop): Dockerize Java Securely: SBOMs + Attestations + Bake, which is Docker Commandos v1.6.3.
  • July 10 (Conference talk): Beyond SBOMs: The Future of Container Supply Chain Security.

Looking further ahead: I am thrilled to announce that my talk has also been officially accepted at BaselOne! More details on the schedule for that will follow soon.

šŸ“š Special Announcement: "Black Forest Commandos: Asgard Mission"

Finally, I am incredibly excited to announce that my comic book, "Black Forest Commandos: Asgard Mission," is officially coming out in September! This comic tells the story of the 10 Docker Commandos workshop series. It chronicles the exact narrative and technical challenges as they happened live during the workshops at:

  • WeAreDevelopers Berlin 2026
  • JCON Europe 2026
  • Rabobank 2026

The comic will be available in both print and digital formats. Stay tuned for pre-order information later this summer!

Until then, keep your caches isolated, sandbox your AI agents, and verify your dependencies.

Comments

No comments yet. Start the discussion.