Full Report
A new "coordinated" supply chain attack campaign has impacted eight packages on Packagist including malicious code designed to run a Linux binary retrieved from a GitHub Releases URL. "Although the affected packages were all Composer packages, the malicious code was not added to composer.json," Socket said. "Instead, it was inserted into package.json, targeting projects that ship JavaScript
Analysis Summary
# Incident Report: Cross-Ecosystem Supply Chain Attack on Packagist
## Executive Summary
A coordinated supply chain attack targeted the Packagist PHP ecosystem by embedding malicious `package.json` lifecycle hooks into Composer packages. The attack leveraged "cross-ecosystem" placement to execute a Linux-based binary on systems where PHP projects utilized JavaScript build tooling. The campaign affected at least eight known packages and showed evidence of broader reach through GitHub Actions workflow compromises.
## Incident Details
- **Discovery Date:** May 23, 2026 (Reported)
- **Incident Date:** Circa May 2026
- **Affected Organization:** Multiple (Users of specific Packagist repositories)
- **Sector:** Software Development / Technology
- **Geography:** Global
## Timeline of Events
### Initial Access
- **Date/Time:** May 2026
- **Vector:** Supply Chain Compromise / Upstream Repository Manipulation
- **Details:** Attackers gained access to the upstream repositories of eight Packagist packages, modifying them to include malicious instructions in the `package.json` file.
### Lateral Movement
- **Mechanism:** The attack exploited the integration between PHP (Composer) and JavaScript (NPM/Yarn) ecosystems. When a developer or CI/CD system ran JavaScript build tools for a PHP project, the malicious `postinstall` script triggered the next stage of the attack.
### Data Exfiltration/Impact
- **Details:** Execution of a second-stage Linux binary. The specific payload capabilities are unknown due to the removal of the hosting GitHub account, but the installer provided Remote Code Execution (RCE) and attempted to establish persistence.
### Detection & Response
- **Discovery:** Identified by security firm Socket via automated analysis of package lifecycle hooks.
- **Response Actions taken:** Malicious versions were removed from Packagist; the GitHub account hosting the malware was taken down.
## Attack Methodology
- **Initial Access:** Hijacking of upstream maintainer accounts or repository environments.
- **Persistence:** Utilization of `postinstall` hooks in `package.json` to ensure code execution upon every installation or update.
- **Defense Evasion:**
- **Cross-Ecosystem Placement:** Placing JS malware in a PHP-centric package to bypass language-specific scanners.
- **Masquerading:** Naming the malware "gvfsd-network" to mimic a legitimate GNOME Virtual File System daemon.
- **Security Disabling:** Disabling TLS verification and suppressing error messages during the download of the second-stage binary.
- **Impact:** Remote Code Execution (RCE) on developer workstations and CI/CD runners.
## Impact Assessment
- **Financial:** Unknown; potential costs related to incident response for affected downstream users.
- **Data Breach:** High risk; the ability to run arbitrary binaries allows for credential theft and source code exfiltration.
- **Operational:** Disruption of development workflows and requirement for manual cleanup of infected environments.
- **Reputational:** Damage to the perceived security of the Packagist ecosystem and the specific affected open-source projects.
## Indicators of Compromise
- **File Indicators:** Use of `/tmp/.sshd` for storing malicious binaries.
- **Behavioral Indicators:** `chmod` execution on temporary files; unauthorized background execution of "gvfsd-network"; outbound connections to GitHub Releases with TLS verification disabled.
- **Network Indicators (Defanged):**
- hxxps[://]github[.]com/parikhpreyash4/systemd-network-helper-aa5c751f
- hxxps[://]github[.]com/parikhpreyash4 (Account now inactive)
## Response Actions
- **Containment:** Removal of affected package versions from the Packagist registry.
- **Eradication:** Suspension of the GitHub repository hosting the second-stage Linux binary.
- **Recovery:** Public disclosure and notification to the community to audit developer environments and CI/CD logs.
## Lessons Learned
- **Blind Spots:** Security teams often focus on the primary language of a project (PHP/Composer) while neglecting secondary configuration files (`package.json`) that may be present for tooling.
- **Workflow Security:** The discovery of the payload in GitHub Actions workflow files highlights the need to sign and pin actions to specific commit hashes.
## Recommendations
- **Multi-Manifest Auditing:** Implement security scanning that covers all manifest files (e.g., `composer.json`, `package.json`, `requirements.txt`) regardless of the project's primary language.
- **Disable Lifecycle Scripts:** Use flags like `--ignore-scripts` during installation in CI/CD environments unless strictly necessary.
- **Egress Filtering:** Restrict build server and developer environment outbound traffic to known-good domains to prevent the fetching of unauthorized second-stage binaries.