[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fbhOGkzYO7Byt88XQN7dUk7rhE0Lka1_3AnRSBygJiB4":3},{"article":4,"iocs":49},{"id":5,"title":6,"slug":7,"summary":8,"ai_summary":9,"brief":10,"full_text":11,"url":12,"image_url":13,"published_at":14,"ingested_at":15,"relevance_score":16,"entities":17,"category_id":31,"category":32,"article_tags":36},"c57e3a25-0469-41f4-82bf-2da8b562b866","Packagist Supply Chain Attack Infects 8 Packages Using GitHub-Hosted Linux Malware","packagist-supply-chain-attack-infects-8-packages-using-github-hosted-linux-malwa-f8e1e1","A new \"coordinated\" supply chain attack campaign has impacted eight packages on Packagist including malicious code designed to run a Linux binary retrieved from a GitHub Releases URL. \"Although the affected packages were all Composer packages, the malicious code was not added to composer.json,\" Socket said. \"Instead, it was inserted into package.json, targeting projects that ship JavaScript","A coordinated supply chain attack compromised eight Packagist packages by injecting malicious code into package.json files. The injected code downloads and executes a Linux binary from a now-unavailable GitHub repository, potentially granting remote code execution during installation or build workflows.","Supply chain attack on Packagist infects eight packages with GitHub-hosted Linux malware.","Packagist Supply Chain Attack Infects 8 Packages Using GitHub-Hosted Linux Malware Ravie LakshmananMay 23, 2026Malware \u002F DevSecOps A new \"coordinated\" supply chain attack campaign has impacted eight packages on Packagist including malicious code designed to run a Linux binary retrieved from a GitHub Releases URL. \"Although the affected packages were all Composer packages, the malicious code was not added to composer.json,\" Socket said. \"Instead, it was inserted into package.json, targeting projects that ship JavaScript build tooling alongside PHP code.\" This \"cross-ecosystem placement\" makes the activity stand out because developers and security teams scanning PHP dependencies may only focus on Composer-related metadata, while skipping package.json lifecycle hooks that are bundled within the package. The malicious versions have since been removed from Packagist. An analysis of the packages has uncovered that their upstream repositories have been modified to include a postinstall script that attempts to download a Linux binary from a GitHub Releases URL (\"github[.]com\u002Fparikhpreyash4\u002Fsystemd-network-helper-aa5c751f\"), save it to the \"\u002Ftmp\u002F.sshd\" folder, change its permissions using \"chmod\" to grant execute permissions to all users, and run it in the background. The names of the packages and the associated affected version are listed below - moritz-sauer-13\u002Fsilverstripe-cms-theme (dev-master) crosiersource\u002Fcrosierlib-base (dev-master) devdojo\u002Fwave (dev-main) devdojo\u002Fgenesis (dev-main) katanaui\u002Fkatana (dev-main) elitedevsquad\u002Fsidecar-laravel (3.x-dev) r2luna\u002Fbrain (dev-main) baskarcm\u002Ftzi-chat-ui (dev-main) Socket's investigation has found references to the same payload across 777 files in GitHub, suggesting that it could be part of a broader campaign. In at least two instances, it was added to a GitHub workflow. However, it's currently not known how many of these match distinct compromises, forks, duplicate package artifacts, or cached references. \"This suggests the attacker was not relying on a single execution mechanism. In package artifacts, the payload was triggered through package.json postinstall scripts,\" the application security firm said. \"In workflow files, it was positioned to run during GitHub Actions jobs.\" What's more, the exact nature of the payload downloaded from GitHub is unclear, as the GitHub account associated with the repository hosting it is no longer available. The choice of the name \"gvfsd-network\" for the malware is also notable, as it refers to a GNOME Virtual File System (GVfs) daemon responsible for managing and browsing network shares. \"Even without the second-stage binary, the malicious installer is enough to warrant blocking,\" Socket said. \"It provides remote code execution during installation or build workflows and attempts to hide its activity by disabling TLS verification, suppressing errors, and running a downloaded binary in the background.\" Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post. SHARE     Tweet Share Share Share SHARE  Composer, cybersecurity, DevSecOps, GitHub, linux, Malware, Open Source, Packagist, remote code execution, Supply Chain Attack ⚡ Top Stories This Week Claude Mythos AI Finds 10,000 High-Severity Flaws in Widely Used Software Megalodon GitHub Attack Targets 5,561 Repos with Malicious CI\u002FCD Workflows ThreatsDay Bulletin: Linux Rootkits, Router 0-Day, AI Intrusions, Scam Kits and 25 New Stories Microsoft Warns of Two Actively Exploited Defender Vulnerabilities 9-Year-Old Linux Kernel Flaw Enables Root Command Execution on Major Distros GitHub Internal Repositories Breached via Malicious Nx Console VS Code Extension GitHub Breached — Employee Device Hack Led to Exfiltration of 3,800+ Internal Repos Microsoft Releases Mitigation for YellowKey BitLocker Bypass CVE-2026-45585 Exploit DirtyDecrypt PoC Released for Linux Kernel CVE-2026-31635 LPE Vulnerability ⚡ Weekly Recap: Exchange 0-Day, npm Worm, Fake AI Repo, Cisco Exploit and More Ivanti, Fortinet, SAP, VMware, n8n Patch RCE, SQL Injection, Privilege Escalation Flaws MiniPlasma Windows 0-Day Enables SYSTEM Privilege Escalation on Fully Patched Systems NGINX CVE-2026-42945 Exploited in the Wild, Causing Worker Crashes and Possible RCE Making Vulnerable Drivers Exploitable Without Hardware - The BYOVD Perspective The New Phishing Click: How OAuth Consent Bypasses MFA Developer Workstations Are Now Part of the Software Supply Chain ⭐ Featured Resources Claim ANY.RUN Anniversary Offer for Faster Malware Analysis [Guide] Learn to Detect AI Typosquatting Risks in Your Domain [Guide] Get Key Identity Security Insights From 2026 Snapshot Discover How to Navigate the Era of Constant Cyber Exposure","https:\u002F\u002Fthehackernews.com\u002F2026\u002F05\u002Fpackagist-supply-chain-attack-infects-8.html","https:\u002F\u002Fblogger.googleusercontent.com\u002Fimg\u002Fb\u002FR29vZ2xl\u002FAVvXsEiQ5LyRYJIkEVUSrrBV-_qvrXIKC-B4h0JAxyV4IalzuiEzXi6KeCnZNTUWIIld3oeC5kDx85xppqYm9tG_UB3_Sss9WqH2bYsOVxkB3PhjUk_cQrdyvr6JKsYgn35_sESYYsLC_OuKN9_2korX__RfHwkecLX_BGk7aajnm3sfNqbpV4Pl55B1fpSBpbOA\u002Fs1600\u002Fpackagist.jpg","2026-05-23T16:07:51+00:00","2026-05-23T18:00:09.356389+00:00",9,[18,21,23,25,28],{"name":19,"type":20},"Packagist","product",{"name":22,"type":20},"Composer",{"name":24,"type":20},"GitHub",{"name":26,"type":27},"Linux","technology",{"name":29,"type":30},"Socket","vendor","26b0b636-0e31-4db1-bffb-61bdf9f20a58",{"id":31,"icon":33,"name":34,"slug":35},null,"Supply Chain","supply-chain",[37,39,44],{"category":38},{"id":31,"icon":33,"name":34,"slug":35},{"category":40},{"id":41,"icon":33,"name":42,"slug":43},"89f78b1c-3503-45a1-9fc7-e23d2ce1c6d5","Malware","malware",{"category":45},{"id":46,"icon":33,"name":47,"slug":48},"ade75414-7914-4e23-a450-48b64546ee70","Open Source","open-source",[]]