Most npm supply chain defenses key on preinstall and postinstall lifecycle scripts. This attack ignores those entirely: a weaponized `binding.gyp` causes node-gyp to compile and run attacker code the moment `npm install` resolves a native dependency — no hooks, no alerts. Snyk rates it Critical severity and has identified 57 affected packages spanning hundreds of malicious versions, calling the propagation mechanism self-worm-like. The real story here isn't one bad actor — it's a blind spot. Teams that audited lifecycle scripts after the Miasma campaign two weeks ago may have checked the wrong thing. Until tooling catches up to `binding.gyp` as an injection surface, the practical floor is auditing native dependencies for unexpected node-gyp build artifacts and running installs in isolated environments where network egress is blocked.