{"id":1033,"date":"2026-05-23T18:22:28","date_gmt":"2026-05-23T18:22:28","guid":{"rendered":"https:\/\/thedigitalfortress.us\/?p=1033"},"modified":"2026-05-23T18:22:28","modified_gmt":"2026-05-23T18:22:28","slug":"packagist-supply-chain-attack-infects-8-packages-using-github-hosted-linux-malware","status":"publish","type":"post","link":"https:\/\/thedigitalfortress.us\/?p=1033","title":{"rendered":"Packagist Supply Chain Attack Infects 8 Packages Using GitHub-Hosted Linux Malware"},"content":{"rendered":"
\n

\ue804<\/i>Ravie Lakshmanan<\/span>\ue802<\/i>May 23, 2026<\/span><\/span>Malware \/ DevSecOps<\/span><\/p>\n<\/div>\n

\n
<\/a><\/div>\n

A new \u00abcoordinated\u00bb supply chain attack campaign has impacted eight packages on Packagist <\/b>including malicious code designed to run a Linux binary retrieved from a GitHub Releases URL.<\/p>\n

\u00abAlthough the affected packages were all Composer packages, the malicious code was not added to composer.json,\u00bb Socket said<\/a>. \u00abInstead, it was inserted into package.json, targeting projects that ship JavaScript build tooling alongside PHP code.\u00bb<\/p>\n

This \u00abcross-ecosystem placement\u00bb makes the activity stand out because developers and security teams scanning PHP dependencies may only focus on Composer-related metadata, while skipping package.json lifecycle hooks that are bundled within the package. The malicious versions have since been removed from Packagist.<\/p>\n

\n
\"Cybersecurity\"<\/a><\/div>\n<\/div>\n

An analysis of the packages has uncovered that their upstream repositories have been modified to include a postinstall script that attempts to download a Linux binary from a GitHub Releases URL (\u00abgithub[.]com\/parikhpreyash4\/systemd-network-helper-aa5c751f\u00bb), save it to the \u00ab\/tmp\/.sshd\u00bb folder, change its permissions using \u00abchmod\u00bb to grant execute permissions to all users, and run it in the background.<\/p>\n

The names of the packages and the associated affected version are listed below –<\/p>\n