Packagist Supply Chain Attack Infects 8 Packages Using GitHub-Hosted Linux Malware

A coordinated supply chain attack has infected eight Packagist packages with malicious code that downloads and executes a Linux binary from GitHub.

• •Malicious postinstall scripts were inserted into package.json files within PHP Composer packages, targeting projects with JavaScript build tooling
• •The attack downloads a Linux binary from a GitHub Releases URL and saves it to "/tmp/.sshd" with execute permissions
• •Similar payload signatures were found across 777 GitHub files, suggesting a broader campaign using multiple execution mechanisms
• •The malware is named "gvfsd-network" to mimic GNOME Virtual File System daemon functionality
• •The malicious installer provides remote code execution during installation and build workflows while disabling TLS verification