{"id":253480,"date":"2026-05-23T12:07:00","date_gmt":"2026-05-23T16:07:00","guid":{"rendered":"https:\/\/news-you-need.com\/index.php\/2026\/05\/23\/packagist-supply-chain-attack-infects-8-packages-using-github-hosted-linux-malware\/"},"modified":"2026-05-23T13:15:11","modified_gmt":"2026-05-23T17:15:11","slug":"packagist-supply-chain-attack-infects-8-packages-using-github-hosted-linux-malware","status":"publish","type":"post","link":"https:\/\/news-you-need.com\/index.php\/2026\/05\/23\/packagist-supply-chain-attack-infects-8-packages-using-github-hosted-linux-malware\/","title":{"rendered":"Packagist Supply Chain Attack Infects 8 Packages Using GitHub-Hosted Linux Malware"},"content":{"rendered":"<p><a href=\"https:\/\/thehackernews.com\/2026\/05\/packagist-supply-chain-attack-infects-8.html\">Packagist Supply Chain Attack Infects 8 Packages Using GitHub-Hosted Linux Malware<\/a><\/p>\n<p><a href=\"https:\/\/thehackernews.com\/2026\/05\/packagist-supply-chain-attack-infects-8.html\">https:\/\/thehackernews.com\/2026\/05\/packagist-supply-chain-attack-infects-8.html<\/a><\/p>\n<p>Publish Date: <a href=\"publish_date]\">2026-05-23 12:07:00<\/a><\/p>\n<p>Source Domain: <a href=\"thehackernews.com\">thehackernews.com<\/a><\/p>\n<p><span class=\"p-author\">\ue804<span class=\"author\">Ravie Lakshmanan<\/span>\ue802<span class=\"author\">May 23, 2026<\/span><\/span><span class=\"p-tags\">Malware \/ DevSecOps<\/span><\/p>\n<p>A new &#8220;coordinated&#8221; supply chain attack campaign has impacted eight packages on Packagist including malicious code designed to run a Linux binary retrieved from a GitHub Releases URL.<\/p>\n<p>&#8220;Although the affected packages were all Composer packages, the malicious code was not added to composer.json,&#8221; Socket said. &#8220;Instead, it was inserted into package.json, targeting projects that ship JavaScript build tooling alongside PHP code.&#8221;<\/p>\n<p>This &#8220;cross-ecosystem placement&#8221; makes the activity stand out because developers and security teams scanning PHP dependencies may only focus on Composer-related metadata, while skipping package.json lifecycle hooks that are bundled within the package. The malicious versions have since been removed from Packagist.<\/p>\n<p>An analysis of the packages has uncovered that their upstream repositories have been modified to include a postinstall script that attempts to download a Linux binary from a GitHub Releases URL (&#8220;github[.]com\/parikhpreyash4\/systemd-network-helper-aa5c751f&#8221;), save it to the &#8220;\/tmp\/.sshd&#8221; folder, change its permissions using &#8220;chmod&#8221; to grant execute permissions to all users, and run it in the background.<\/p>\n<p>The names of the packages and the associated affected version are listed below &#8211;<\/p>\n<ul>\n<li>moritz-sauer-13\/silverstripe-cms-theme (dev-master)<\/li>\n<li>crosiersource\/crosierlib-base (dev-master)<\/li>\n<li>devdojo\/wave (dev-main)<\/li>\n<li>devdojo\/genesis (dev-main)<\/li>\n<li>katanaui\/katana (dev-main)<\/li>\n<li>elitedevsquad\/sidecar-laravel (3.x-dev)<\/li>\n<li>r2luna\/brain (dev-main)<\/li>\n<li>baskarcm\/tzi-chat-ui (dev-main)<\/li>\n<\/ul>\n<p><img decoding=\"async\" alt=\"\" border=\"0\" data-original-height=\"663\" data-original-width=\"1226\" src=\"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEhDQ9n2zGUMElT3fTmlxFcqwhshj_IUfwaETriEbm3_zMnbsUNtmt43furrUjIkzoKQeoBK_6NyKLVwM9qoqhJrDBFI8Qv53_wxVUJZHYmHJuVOwnp1kbZzRNP2MFTo69d7aYCfi4N9Mvvytx8Sgdyd4lOn5gluusuog7MuXvQh2P5FTMXgbq8iH853xScQ\/s1600\/git.png\"\/><\/p>\n<p>Socket&#8217;s investigation has found references to the same payload across 777 files in GitHub, suggesting that it could be part of a broader campaign. In at least two instances, it was added to a GitHub workflow. However, it&#8217;s currently not known how many of these match distinct compromises, forks, duplicate package artifacts, or cached references.<\/p>\n<p>&#8220;This suggests the attacker was not relying on a single execution&#8230;<\/p>\n<p><a href=\"https:\/\/thehackernews.com\/2026\/05\/packagist-supply-chain-attack-infects-8.html\">Source<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Packagist Supply Chain Attack Infects 8 Packages Using GitHub-Hosted Linux Malware https:\/\/thehackernews.com\/2026\/05\/packagist-supply-chain-attack-infects-8.html Publish Date: 2026-05-23&#8230;<\/p>\n","protected":false},"author":1,"featured_media":253482,"comment_status":"closed","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"fifu_image_url":"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEiQ5LyRYJIkEVUSrrBV-_qvrXIKC-B4h0JAxyV4IalzuiEzXi6KeCnZNTUWIIld3oeC5kDx85xppqYm9tG_UB3_Sss9WqH2bYsOVxkB3PhjUk_cQrdyvr6JKsYgn35_sESYYsLC_OuKN9_2korX__RfHwkecLX_BGk7aajnm3sfNqbpV4Pl55B1fpSBpbOA\/s1600\/packagist.jpg","fifu_image_alt":"","footnotes":""},"categories":[48],"tags":[71,32,57],"class_list":["post-253480","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-linux","tag-linux","tag-malware","tag-security"],"_links":{"self":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/253480"}],"collection":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/comments?post=253480"}],"version-history":[{"count":1,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/253480\/revisions"}],"predecessor-version":[{"id":253483,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/253480\/revisions\/253483"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/media\/253482"}],"wp:attachment":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/media?parent=253480"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/categories?post=253480"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/tags?post=253480"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}