Skip to content
  • Home
  • Cyber Map
  • About Us – Contact
  • Disclaimer
  • Terms and Rules
  • Privacy Policy
Cyber Web Spider Blog – News

Cyber Web Spider Blog – News

Globe Threat Map provides a real-time, interactive 3D visualization of global cyber threats. Monitor DDoS attacks, malware, and hacking attempts with geo-located arcs on a rotating globe. Stay informed with live logs and archive stats.

  • Home
  • Cyber Map
  • Cyber Security News
  • Security Week News
  • The Hacker News
  • How To?
  • Toggle search form
Linux Attack Hides Malicious Payload in Package Installs

Linux Attack Hides Malicious Payload in Package Installs

Posted on May 25, 2026 By CWS

A covert supply chain attack is targeting developers by embedding a Linux binary within software packages on GitHub. This malicious script, disguised under a filename that mimics a standard system process, has affected over 700 repositories across various ecosystems.

How the Attack Operates

The threat is introduced via a harmful postinstall script within PHP and Node.js packages. When these compromised packages are installed, the script operates without alerting the user, fetching a binary from an attacker-controlled GitHub account. It stores this binary in a temporary directory on the Linux system, under the file path /tmp/.sshd, which resembles a legitimate SSH daemon file.

Researchers from Socket.dev revealed this campaign through their AI-driven scanner, which flagged the packages based on their unusual behavior during installation. The breadth of the attack extended beyond initial findings, impacting both Packagist and Node.js repositories.

Stealth Tactics and Widespread Impact

This attack is particularly hard to detect due to its stealthy nature. The script suppresses errors during installation and runs the binary in the background unnoticed. Developers examining typical installation logs would likely miss the malicious process, as the filename’s disguise blends it into the system environment.

The central point for payload delivery was identified as a GitHub account named parikhrpreksha. Consistent postinstall commands were found across numerous repositories, all downloading the same binary from a GitHub Releases URL, indicating a coordinated operation.

Preventative Measures and Recommendations

Given the attack’s reach, Socket.dev has taken steps to report affected packages, which were subsequently removed from Packagist. However, due to the use of branch-tracking versions, developers must ensure that upstream repositories are also cleared of malicious code.

Teams utilizing Packagist packages with PHP scripting or Laravel-based tools should scrutinize composer.json files for unexpected entries. It’s crucial to check for binaries with dot-prefixed names in /tmp, review GitHub Actions workflow files, and audit packages linked to development branches rather than stable releases.

This incident underscores the need for vigilance in software package management, emphasizing the importance of regular audits and updates to mitigate potential threats.

Cyber Security News Tags:binary download, cyber attack, Cybersecurity, GitHub, GitHub actions, Linux security, Malware, Node.js, Open Source, Packagist, PHP, Socket.dev, software packages, SSH, supply chain attack

Post navigation

Previous Post: Iranian Group Utilizes SEO Tactics for Malware Distribution
Next Post: Cybercriminals Exploit Telegram for Selling Bank Mule Accounts

Related Posts

New Framework Enhances APT Attribution New Framework Enhances APT Attribution Cyber Security News
ShadowSyndicate Adopts Server Transition in Cyber Attacks ShadowSyndicate Adopts Server Transition in Cyber Attacks Cyber Security News
Critical Jenkins Security Flaws Threaten Server Safety Critical Jenkins Security Flaws Threaten Server Safety Cyber Security News
Hackers Stolen 0,000 in Crypto Assets by Weaponizing AI Extension Hackers Stolen $500,000 in Crypto Assets by Weaponizing AI Extension Cyber Security News
Payload Ransomware Threatens Global Systems with Advanced Encryption Payload Ransomware Threatens Global Systems with Advanced Encryption Cyber Security News
Ericsson USA Reveals Third-Party Data Breach Ericsson USA Reveals Third-Party Data Breach Cyber Security News

Categories

  • Cyber Security News
  • How To?
  • Security Week News
  • The Hacker News

Recent Posts

  • Microsoft Entra Passkey Enrollment Exploited by Hackers
  • RedHook Malware Exploits ADB Debugging for Control
  • ACSC Raises Alarm on CMS Exploitation Threat
  • GodDamn Ransomware Uses PoisonX to Evade Security
  • Critical Roundcube XSS Flaws Require Immediate Update

Pages

  • About Us – Contact
  • Disclaimer
  • Privacy Policy
  • Terms and Rules

Archives

  • July 2026
  • June 2026
  • May 2026
  • April 2026
  • March 2026
  • February 2026
  • January 2026
  • December 2025
  • November 2025
  • October 2025
  • September 2025
  • August 2025
  • July 2025
  • June 2025
  • May 2025

Recent Posts

  • Microsoft Entra Passkey Enrollment Exploited by Hackers
  • RedHook Malware Exploits ADB Debugging for Control
  • ACSC Raises Alarm on CMS Exploitation Threat
  • GodDamn Ransomware Uses PoisonX to Evade Security
  • Critical Roundcube XSS Flaws Require Immediate Update

Pages

  • About Us – Contact
  • Disclaimer
  • Privacy Policy
  • Terms and Rules

Categories

  • Cyber Security News
  • How To?
  • Security Week News
  • The Hacker News

Copyright © 2026 Cyber Web Spider Blog – News.

Powered by PressBook Masonry Dark