SHA-256 hash of binding.gyp file, byte-identical across all 22 compromised packages; triggers 'Phantom Gyp' node-gyp execution of malicious index.js without preinstall/postinstall hooks