Skip to content
  • Home
  • Cyber Map
  • About Us – Contact
  • Disclaimer
  • Terms and Rules
  • Privacy Policy
Cyber Web Spider Blog – News

Cyber Web Spider Blog – News

Globe Threat Map provides a real-time, interactive 3D visualization of global cyber threats. Monitor DDoS attacks, malware, and hacking attempts with geo-located arcs on a rotating globe. Stay informed with live logs and archive stats.

  • Home
  • Cyber Map
  • Cyber Security News
  • Security Week News
  • The Hacker News
  • How To?
  • Toggle search form
Packagist Supply Chain Breach Targets Eight Packages

Packagist Supply Chain Breach Targets Eight Packages

Posted on May 23, 2026 By CWS

A recent coordinated supply chain attack has compromised eight packages on Packagist, utilizing malicious code that executes a Linux binary sourced from a GitHub Releases URL. This incident highlights significant vulnerabilities within the software distribution ecosystem.

Details of the Attack

The affected packages, all Composer packages, were infiltrated through an unusual method. The malicious code was inserted into package.json, rather than the more commonly scrutinized composer.json. This approach targeted projects that incorporate JavaScript build tools alongside PHP code, evading detection by those focusing solely on Composer-related metadata.

This strategic cross-ecosystem insertion poses challenges for developers and security teams, as it exploits lifecycle hooks within package.json that may be overlooked during standard PHP dependency scans. Although the malicious versions have been removed from Packagist, the breach underscores the need for comprehensive security practices.

Technical Analysis and Package Impact

Analysis reveals that the upstream repositories of these packages were altered to include a post-install script. This script attempts to download a Linux binary from a specified GitHub Releases URL, saving it to the /tmp/.sshd directory, modifying permissions to enable execution by all users, and operating it in the background.

The following packages and their respective versions were impacted:

  • moritz-sauer-13/silverstripe-cms-theme (dev-master)
  • crosiersource/crosierlib-base (dev-master)
  • devdojo/wave (dev-main)
  • devdojo/genesis (dev-main)
  • katanaui/katana (dev-main)
  • elitedevsquad/sidecar-laravel (3.x-dev)
  • r2luna/brain (dev-main)
  • baskarcm/tzi-chat-ui (dev-main)

Broader Implications and Unclear Payloads

Further investigation by Socket has uncovered references to this payload in 777 files across GitHub, indicating a potentially larger campaign. However, the exact extent of these breaches—whether they represent unique compromises, forks, or other forms of duplication—remains uncertain.

The payload was activated via package.json post-install scripts for package artifacts and was embedded within GitHub Actions workflows. The precise function of the payload downloaded from GitHub is unknown, as the account hosting it is no longer active. The malware was named “gvfsd-network,” referencing a GNOME Virtual File System daemon, which manages network shares.

Despite the absence of a second-stage binary, the dangerous installer warrants immediate attention. It enables remote code execution during installation or build processes, obscuring its operations by disabling TLS verification, suppressing errors, and executing downloaded binaries discreetly.

This incident serves as a critical reminder of the importance of vigilant security practices and the need for multi-layered defense strategies to protect against evolving cyber threats.

The Hacker News Tags:Composer packages, Cybersecurity, DevSecOps, GitHub, JavaScript, Linux, Malware, Packagist, remote code execution, supply chain attack

Post navigation

Previous Post: npm Enhances Security with 2FA and Install Controls
Next Post: Advanced Tool Detects Persistence Malware on Multiple OS

Related Posts

Open VSX Supply Chain Attack Used Compromised Dev Account to Spread GlassWorm Open VSX Supply Chain Attack Used Compromised Dev Account to Spread GlassWorm The Hacker News
26 Malicious Apps on Apple Store Targeting Crypto Wallets 26 Malicious Apps on Apple Store Targeting Crypto Wallets The Hacker News
Hackers Exploit Samsung MagicINFO, GeoVision IoT Flaws to Deploy Mirai Botnet Hackers Exploit Samsung MagicINFO, GeoVision IoT Flaws to Deploy Mirai Botnet The Hacker News
CISA Highlights Cisco, Chrome, Arista Security Flaws CISA Highlights Cisco, Chrome, Arista Security Flaws The Hacker News
Microsoft Device Code Phishing Campaign Targets M365 Accounts Microsoft Device Code Phishing Campaign Targets M365 Accounts The Hacker News
New GodRAT Trojan Targets Trading Firms Using Steganography and Gh0st RAT Code New GodRAT Trojan Targets Trading Firms Using Steganography and Gh0st RAT Code The Hacker News

Categories

  • Cyber Security News
  • How To?
  • Security Week News
  • The Hacker News

Recent Posts

  • VECT and TeamPCP: Unveiling the Ransomware Supply Chain Strategy
  • Global Expansion of Gentlemen Ransomware Threats
  • Critical Flaw in Google Dialogflow CX Exposed
  • Vulnerability in GCP Dialogflow Enables Malicious Code Injection
  • Gitea Vulnerability Exploited Actively, Experts Alert

Pages

  • About Us – Contact
  • Disclaimer
  • Privacy Policy
  • Terms and Rules

Archives

  • July 2026
  • June 2026
  • May 2026
  • April 2026
  • March 2026
  • February 2026
  • January 2026
  • December 2025
  • November 2025
  • October 2025
  • September 2025
  • August 2025
  • July 2025
  • June 2025
  • May 2025

Recent Posts

  • VECT and TeamPCP: Unveiling the Ransomware Supply Chain Strategy
  • Global Expansion of Gentlemen Ransomware Threats
  • Critical Flaw in Google Dialogflow CX Exposed
  • Vulnerability in GCP Dialogflow Enables Malicious Code Injection
  • Gitea Vulnerability Exploited Actively, Experts Alert

Pages

  • About Us – Contact
  • Disclaimer
  • Privacy Policy
  • Terms and Rules

Categories

  • Cyber Security News
  • How To?
  • Security Week News
  • The Hacker News

Copyright © 2026 Cyber Web Spider Blog – News.

Powered by PressBook Masonry Dark