node-gyp is the build tool commonly used to compile native Node.js addons from binding.gyp instructions. Instead of shipping only JavaScript, a package can include C or C++ code that must be built for the target platform during installation.
In cyber security, node-gyp matters because build-time activity is part of the attack surface. A compromised package can trigger compilation steps on a developer workstation or in CI before the application ever runs. That can make dependency installs a delivery path for malicious code, unexpected network access, or credential exposure. Defenders reduce this risk by reviewing packages that use native builds, limiting install scripts, pinning dependencies, checking lockfiles, and using provenance or sandboxing controls for build jobs. node-gyp itself is legitimate plumbing, but in supply-chain attacks it can become the mechanism that turns a trusted install into an execution point.