Docker Security Dispatch — Issue 4: Miasma, Phantom Gyp, and AI Routing 🪱️
The fourth issue of Docker Security Dispatch: Miasma and Phantom Gyp worms, malicious AI routers, agentic remediation, upcoming WeAreDevelopers sessions, BaselOne talk, and a comic book announcement.
Welcome to the fourth issue of Docker Security Dispatch, written from the beautiful city of Bratislava, Slovakia. June has proven that the security battleground has shifted from the production server to the developer's workstation, the CI/CD pipeline cache, and the AI agent's execution context. Supply chain worms are evolving to bypass the most trusted industry defenses, and new research has exposed critical flaws in the AI routing layer.
Key Takeaways
- Miasma & Phantom Gyp: The latest wave of npm worms bypasses the `--ignore-scripts` defense using native `binding.gyp` command substitution.
- Malicious AI Routers: Understanding the implications of the "Your Agent Is Mine" research, which reveals how third-party LLM APIs alter in-flight tool-calling requests.
- Agentic Remediation: New insights on safely scaling agentic AI in production environments.
- Upcoming Events & Releases: Details on my upcoming WeAreDevelopers World Congress sessions, a new talk at BaselOne, and a special comic book announcement.

🪱 The Evolution of Worms: Miasma and Phantom Gyp
If you need a refresher on worms, perhaps take a look at my talk notes from EnterJS 2026: Defense Against the Dark Arts: NPM Attack.

Just as the community began remediating the fallout from the TanStack CI cache poisoning, a highly sophisticated descendant emerged. In early June, the Miasma worm debuted a terrifying evasion technique dubbed "Phantom Gyp".

For years, the standard advice for preventing malicious package execution during installation has been to run npm install --ignore-scripts. Miasma renders this control entirely ineffective. The attackers embedded a tiny binding.gyp file inside the published tarballs. Because package managers must process native bindings via node-gyp before the C++ compiler is invoked, the malware uses command substitution to force the evaluation of an attacker-controlled shell payload during the configuration phase.
I've put together a comprehensive analysis of the recent worm campaigns tearing through the ecosystem. You can read my full breakdown of the 6 worms here: Beyond SLSA: The Worms Are Here.
Also, I gave Phantom Gyp a special treatment, "composing" a music for it:
🤖 The AI Supply Chain & Production-Safe Remediation
This month, I'm also poking my finger into academic research. This section is about a research paper titled "Your Agent Is Mine: Measuring Malicious Intermediary Attacks on the LLM Supply Chain" by Hanzhi Liu et al. from UC Santa Barbara (Liu et quinque plures homines, as they say in Latin). The paper explores the security implications of using third-party LLM APIs in production environments.
LLM API routers are basically a part of the transport layer that sits between your code and the LLM. They are responsible for routing requests to the appropriate model, handling retries, and managing rate limits. However, these routers have plaintext access to in-flight JSON payloads, which means that, if compromised, they can silently rewrite an LLM's output. A benign installation URL generated by an LLM can be swapped for a malicious script, or an API key can be seamlessly exfiltrated.
To safely utilize these tools, we must rethink how we deploy them. I recently co-authored a deep dive on this exact topic that was featured on the main page of DZone! Check it out here: Building Production-Safe Agentic Remediation With Docker MCP Gateway: Lessons From 43% to 100% Accuracy.
🎙️ Recent Talks & Catch-Ups
If you missed my recent conference appearances, the writeups and recordings are now available:

- EnterJS 2026: Defense Against the Dark Arts: NPM Attack
- JRush: I recently joined the JRush livestream for a great discussion on the current threat landscape. Watch the replay on YouTube here.
📅 Upcoming Events: Berlin & Basel

The conversation regarding advanced supply chain security will continue next month in Berlin at the WeAreDevelopers World Congress. I have a packed schedule, and I’d love to see you there:
- July 8 (Pre-conference meetup): Agentic AI in the Wild: What Actually Runs in Production – I'm co-organizing this event alongside Dana Fine and Zaid Zaim. We have a fantastic lineup of speakers, including Ana-Maria Mihalceanu.
- July 9 (Conference workshop): Dockerize Java Securely: SBOMs + Attestations + Bake, which is Docker Commandos v1.6.3.
- July 10 (Conference talk): Beyond SBOMs: The Future of Container Supply Chain Security.
Looking further ahead: I am thrilled to announce that my talk has also been officially accepted at BaselOne! More details on the schedule for that will follow soon.
📚 Special Announcement: "Black Forest Commandos: Asgard Mission"
Finally, I am incredibly excited to announce that my comic book, "Black Forest Commandos: Asgard Mission," is officially coming out in September!
This comic tells the story of the 10 Docker Commandos workshop series. It chronicles the exact narrative and technical challenges as they happened live during the workshops at:
- WeAreDevelopers Berlin 2026
- JCON Europe 2026
- Rabobank 2026
The comic will be available in both print and digital formats. Stay tuned for pre-order information later this summer!
Until then, keep your caches isolated, sandbox your AI agents, and verify your dependencies.
Docker Security Dispatch
Docker Security Dispatch — Issue 1: Docker Turns 13 🎂
April 1, 2026 · 4 min read
Docker Security Dispatch — Issue 2: From JCON to Zurich 🏔️
May 5, 2026 · 5 min read
Docker Security Dispatch — Issue 3: Zurich, Worms, and the AI Frontier 🏔️
June 2, 2026 · 9 min read
Docker Security Dispatch — Issue 4: Miasma, Phantom Gyp, and AI Routing 🪱️
July 1, 2026 · 5 min read
