{"id":220746,"date":"2026-05-27T03:30:06","date_gmt":"2026-05-27T07:30:06","guid":{"rendered":"https:\/\/testing.news-you-need.com\/index.php\/2026\/05\/27\/packagist-supply-chain-attack-infects-8-packages-using-github-hosted-linux-malware\/"},"modified":"2026-05-27T03:30:09","modified_gmt":"2026-05-27T07:30:09","slug":"packagist-supply-chain-attack-infects-8-packages-using-github-hosted-linux-malware","status":"publish","type":"post","link":"https:\/\/testing.news-you-need.com\/index.php\/2026\/05\/27\/packagist-supply-chain-attack-infects-8-packages-using-github-hosted-linux-malware\/","title":{"rendered":"Packagist Supply Chain Attack Infects 8 Packages Using GitHub-Hosted Linux Malware"},"content":{"rendered":"<p><a href=\"https:\/\/thehackernews.com\/2026\/05\/packagist-supply-chain-attack-infects-8.html\">Packagist Supply Chain Attack Infects 8 Packages Using GitHub-Hosted Linux Malware<\/a><\/p>\n<p><a href=\"https:\/\/thehackernews.com\/2026\/05\/packagist-supply-chain-attack-infects-8.html\">https:\/\/thehackernews.com\/2026\/05\/packagist-supply-chain-attack-infects-8.html<\/a><\/p>\n<p>Publish Date: <a href=\"publish_date]\">2026-05-23 12:07:00<\/a><\/p>\n<p>Source Domain: <a href=\"thehackernews.com\">thehackernews.com<\/a><\/p>\n<p>A new supply chain attack campaign targeted eight packages listed on Packagist, affecting popular PHP dependencies by embedding malicious code in package.json instead of composer.json. This unusual method aimed to exploit JavaScript build tooling projects that blend PHP code, potentially slipping past security scans focused on Composer metadata. The malicious versions have now been removed from Packagist. The attack involved modifying the upstream repositories to include a post-installation script that fetches a Linux binary from a GitHub Releases URL, saves it with execute permissions, and runs it in the background. Analysis points to the use of the same payload across 777 GitHub files, revealing a potentially widespread scheme. The exact nature of the downloaded binary is unclear due to the GitHub account hosting it being unavailable, but its capability for remote code execution and stealth features makes it a significant threat.<\/p>\n<p>Key Points:<br \/>\n&#8211; Malicious code found in package.json files rather than composer.json targeting mixed PHP-JavaScript projects.<br \/>\n&#8211; Attacker used post-install scripts in package repositories for this campaign.<br \/>\n&#8211; Same payload identified across numerous GitHub files, suggesting a broader, multi-faceted attack.<br \/>\n&#8211; Malicious installer offers remote code execution and attempts to conceal its activities.<br \/>\n&#8211; Exact threat level of downloaded payload uncertain due to unavailable GitHub account.<br \/><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Packagist Supply Chain Attack Infects 8 Packages Using GitHub-Hosted Linux Malware https:\/\/thehackernews.com\/2026\/05\/packagist-supply-chain-attack-infects-8.html Publish Date: 2026-05-23&#8230;<\/p>\n","protected":false},"author":1,"featured_media":220748,"comment_status":"closed","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"fifu_image_url":"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEiQ5LyRYJIkEVUSrrBV-_qvrXIKC-B4h0JAxyV4IalzuiEzXi6KeCnZNTUWIIld3oeC5kDx85xppqYm9tG_UB3_Sss9WqH2bYsOVxkB3PhjUk_cQrdyvr6JKsYgn35_sESYYsLC_OuKN9_2korX__RfHwkecLX_BGk7aajnm3sfNqbpV4Pl55B1fpSBpbOA\/s1700-e365\/packagist.jpg","fifu_image_alt":"","footnotes":""},"categories":[15],"tags":[31,32],"class_list":["post-220746","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-cybersecurity","tag-exploit","tag-malware"],"_links":{"self":[{"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/220746"}],"collection":[{"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/comments?post=220746"}],"version-history":[{"count":1,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/220746\/revisions"}],"predecessor-version":[{"id":220751,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/220746\/revisions\/220751"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/media\/220748"}],"wp:attachment":[{"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/media?parent=220746"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/categories?post=220746"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/tags?post=220746"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}