Ptechhub
  • News
  • Industries
    • Enterprise IT
    • AI & ML
    • Cybersecurity
    • Finance
    • Telco
  • Brand Hub
    • Lifesight
  • Blogs
No Result
View All Result
  • News
  • Industries
    • Enterprise IT
    • AI & ML
    • Cybersecurity
    • Finance
    • Telco
  • Brand Hub
    • Lifesight
  • Blogs
No Result
View All Result
PtechHub
No Result
View All Result

Packagist Supply Chain Attack Infects 8 Packages Using GitHub-Hosted Linux Malware

The Hacker News by The Hacker News
May 23, 2026
Home Cybersecurity
Share on FacebookShare on Twitter


Ravie LakshmananMay 23, 2026Malware / DevSecOps

A new “coordinated” supply chain attack campaign has impacted eight packages on Packagist including malicious code designed to run a Linux binary retrieved from a GitHub Releases URL.

“Although the affected packages were all Composer packages, the malicious code was not added to composer.json,” Socket said. “Instead, it was inserted into package.json, targeting projects that ship JavaScript build tooling alongside PHP code.”

This “cross-ecosystem placement” makes the activity stand out because developers and security teams scanning PHP dependencies may only focus on Composer-related metadata, while skipping package.json lifecycle hooks that are bundled within the package. The malicious versions have since been removed from Packagist.

An analysis of the packages has uncovered that their upstream repositories have been modified to include a postinstall script that attempts to download a Linux binary from a GitHub Releases URL (“github[.]com/parikhpreyash4/systemd-network-helper-aa5c751f”), save it to the “/tmp/.sshd” folder, change its permissions using “chmod” to grant execute permissions to all users, and run it in the background.

The names of the packages and the associated affected version are listed below –

  • moritz-sauer-13/silverstripe-cms-theme (dev-master)
  • crosiersource/crosierlib-base (dev-master)
  • devdojo/wave (dev-main)
  • devdojo/genesis (dev-main)
  • katanaui/katana (dev-main)
  • elitedevsquad/sidecar-laravel (3.x-dev)
  • r2luna/brain (dev-main)
  • baskarcm/tzi-chat-ui (dev-main)

Socket’s investigation has found references to the same payload across 777 files in GitHub, suggesting that it could be part of a broader campaign. In at least two instances, it was added to a GitHub workflow. However, it’s currently not known how many of these match distinct compromises, forks, duplicate package artifacts, or cached references.

“This suggests the attacker was not relying on a single execution mechanism. In package artifacts, the payload was triggered through package.json postinstall scripts,” the application security firm said. “In workflow files, it was positioned to run during GitHub Actions jobs.”

What’s more, the exact nature of the payload downloaded from GitHub is unclear, as the GitHub account associated with the repository hosting it is no longer available. The choice of the name “gvfsd-network” for the malware is interesting, as it refers to a GNOME Virtual File System (GVfs) daemon responsible for managing and browsing network shares.

“Even without the second-stage binary, the malicious installer is enough to warrant blocking,” Socket said. “It provides remote code execution during installation or build workflows and attempts to hide its activity by disabling TLS verification, suppressing errors, and running a downloaded binary in the background.”



Source link

The Hacker News

The Hacker News

Next Post
npm Adds 2FA-Gated Publishing and Package Install Controls Against Supply Chain Attacks

npm Adds 2FA-Gated Publishing and Package Install Controls Against Supply Chain Attacks

Recommended.

NordVPN introduces the free My Location tool to help users check what location information is visible online

NordVPN introduces the free My Location tool to help users check what location information is visible online

April 1, 2026
British Transport Police start using live facial recognition | Computer Weekly

British Transport Police start using live facial recognition | Computer Weekly

February 18, 2026

Trending.

AWS Vs. Google Cloud Vs. Microsoft Azure Q1 Earnings Face-Off

AWS Vs. Google Cloud Vs. Microsoft Azure Q1 Earnings Face-Off

May 1, 2026
Cloud Market Share Q1 2026: AWS, Microsoft, Google Battling In AI Era

Cloud Market Share Q1 2026: AWS, Microsoft, Google Battling In AI Era

May 4, 2026
Google’s 0 Million Partner Fund Targets AI Agent Era Channel Paradigm Shift

Google’s $750 Million Partner Fund Targets AI Agent Era Channel Paradigm Shift

April 24, 2026
AWS Solution Provider Caylent Unveils Dedicated Anthropic Claude Unit

AWS Solution Provider Caylent Unveils Dedicated Anthropic Claude Unit

April 30, 2026
Dell’s Infrastructure Blitz: Private Cloud, PowerStore Elite, PowerEdge In Spotlight At Dell Technologies World 2026

Dell’s Infrastructure Blitz: Private Cloud, PowerStore Elite, PowerEdge In Spotlight At Dell Technologies World 2026

May 19, 2026

PTechHub

A tech news platform delivering fresh perspectives, critical insights, and in-depth reporting — beyond the buzz. We cover innovation, policy, and digital culture with clarity, independence, and a sharp editorial edge.

Follow Us

Industries

  • AI & ML
  • Cybersecurity
  • Enterprise IT
  • Finance
  • Telco

Navigation

  • About
  • Advertise
  • Privacy & Policy
  • Contact

Subscribe to Our Newsletter

  • About
  • Advertise
  • Privacy & Policy
  • Contact

Copyright © 2025 | Powered By Porpholio

No Result
View All Result
  • News
  • Industries
    • Enterprise IT
    • AI & ML
    • Cybersecurity
    • Finance
    • Telco
  • Brand Hub
    • Lifesight
  • Blogs

Copyright © 2025 | Powered By Porpholio