"This suggests the attacker was not relying on a single execution mechanism. In package artifacts, the payload was triggered through package.json postinstall scripts," Socket said.
Summary of the Packagist incident
A coordinated supply-chain campaign altered eight packages hosted on Packagist to include malicious installer code that attempts to retrieve and run a Linux binary from a GitHub Releases URL. Socket, the application security firm that analyzed the activity, reported that the malicious versions have since been removed from Packagist. The injected code targeted package artifacts distributed with PHP projects, but the installer mechanism relied on JavaScript lifecycle hooks rather than the expected PHP metadata.
Which Packagist packages were affected
Socket identified the following packages and affected versions:
- moritz-sauer-13/silverstripe-cms-theme (dev-master)
- crosiersource/crosierlib-base (dev-master)
- devdojo/wave (dev-main)
- devdojo/genesis (dev-main)
- katanaui/katana (dev-main)
- elitedevsquad/sidecar-laravel (3.x-dev)
- r2luna/brain (dev-main)
- baskarcm/tzi-chat-ui (dev-main)
Although these are Composer packages, Socket noted that the malicious code was not added to composer.json. Instead, the attacker inserted the code into package.json, “targeting projects that ship JavaScript build tooling alongside PHP code.”
What the malicious installer does and where it came from
Socket’s analysis shows the injected postinstall script attempts to download a Linux binary from a GitHub Releases URL — shown in the report as github[.]com/parikhpreyash4/systemd-network-helper-aa5c751f — save it to /tmp/.sshd, change its permissions with chmod to grant execute permission to all users, and run it in the background. The installer also attempts to hide its activity by disabling TLS verification and suppressing errors, actions Socket described as sufficient reason to block the code even without the second-stage binary.
Socket reported the GitHub account associated with the repository hosting the second-stage binary is no longer available, and said the exact nature of the downloaded payload therefore remains unclear. The analysis noted the attacker used the name “gvfsd-network” for the malware, a reference to a GNOME Virtual File System (GVfs) daemon responsible for managing and browsing network shares.
Cross-ecosystem placement and workflow persistence
Socket highlighted the use of “cross-ecosystem placement” — placing malicious lifecycle hooks in package.json within PHP packages — as the activity’s notable feature because security teams scanning PHP dependencies may focus on Composer metadata and miss JavaScript lifecycle scripts bundled inside the package. The firm found references to the same payload across 777 files in GitHub, and in at least two instances the payload was added to a GitHub workflow.
Socket cautioned that the 777-file count does not directly equate to 777 distinct compromises, because it is not currently known how many instances are separate compromises, forks, duplicate package artifacts, or cached references. The multiplicity of placements, Socket wrote, “suggests the attacker was not relying on a single execution mechanism.”
What this means for technologists, open-source maintainers, and enterprises
- Technologists and security teams: Socket’s findings emphasize the need to inspect package.json lifecycle hooks in Composer packages as well as composer.json metadata, because the reported installer used package.json postinstall scripts to achieve remote code execution during installation or build workflows.
- Open-source maintainers: The campaign demonstrates a vector where malicious code can be introduced into upstream repositories and into distributed package artifacts and workflows; maintainers will need to check for unexpected postinstall scripts and workflow entries that reference external artifacts.
- Enterprises and procurement leaders: Although the malicious versions were removed from Packagist, organizations that consume development snapshots (for example dev-master or dev-main versions) should review their dependency trees for the named packages and similar artifacts, and consider controls to detect lifecycle scripts that fetch and execute binaries.
Socket’s report leaves two concrete facts at the center of the incident: the immediate risk was the installer embedded in package artifacts and workflows, and the broader footprint — 777 file references on GitHub — suggests the activity may be part of a wider campaign. The second-stage binary’s author account is no longer available, leaving the exact payload and its objectives opaque even as defenders clean up affected Packagist artifacts.




