Back to Intelligence

Packagist Supply Chain Attack: Detecting Malicious Linux Binaries via package.

SA
Security Arsenal Team
May 23, 2026
5 min read

Security researchers at Socket have uncovered a coordinated supply chain campaign targeting the Packagist repository, the primary package repository for PHP. While the ecosystem is PHP-centric, the attackers employed a sophisticated cross-vector technique by inserting malicious code into package. files rather than the standard composer.. This allowed the malicious packages to execute a Linux binary retrieved from a GitHub Releases URL. For defenders, this highlights a critical blind spot: modern software supply chain threats often traverse language boundaries, and standard Software Composition Analysis (SCA) tools configured strictly for PHP may miss JavaScript-based execution triggers hidden in dependency trees.

Technical Analysis

Affected Products:

  • Platform: Linux (malware payload)
  • Ecosystem: PHP / Composer (Packagist)
  • Entry Vector: package. (Node.js) embedded within Composer packages

Attack Chain Breakdown:

  1. Initial Compromise: A developer or CI/CD pipeline installs a compromised Composer package.
  2. Cross-Language Trigger: The package includes a package. file (unusual for pure PHP projects). When the build environment has Node.js installed (common for frontend asset compilation), the Node Package Manager (npm) reads this file.
  3. Execution: The attackers utilized a postinstall script within package.. This script automatically runs after npm install.
  4. Payload Retrieval: The script executes a curl or wget command to download a Linux binary executable from a GitHub Releases URL.
  5. Execution: The downloaded binary is executed, potentially establishing a reverse shell, loading a cryptominer, or providing persistence on the host.

Exploitation Status:

  • Status: Confirmed active exploitation in the wild.
  • Scope: 8 packages identified as compromised.
  • Severity: High. This leads to Remote Code Execution (RCE) on the build server or developer workstation.

Detection & Response

The following detection mechanisms are designed to identify the anomalous behavior of Node.js processes spawning network utilities to fetch binaries from GitHub, as well as scanning for the specific artifact indicators.

SIGMA Rules

YAML
---
title: Packagist Supply Chain - NPM Fetching Linux Binary from GitHub
id: 9e4d1b22-6c8f-4a9e-8b1c-1d2e3f4a5b6c
status: experimental
description: Detects npm or node processes spawning curl or wget to download artifacts from github.com, indicative of the Packagist package. attack.
references:
  - https://attack.mitre.org/techniques/T1105/
author: Security Arsenal
date: 2026/05/12
tags:
  - attack.command_and_control
  - attack.t1105
logsource:
  category: process_creation
  product: linux
detection:
  selection:
    ParentImage|endswith:
      - '/node'
      - '/npm'
    Image|endswith:
      - '/curl'
      - '/wget'
    CommandLine|contains:
      - 'github.com'
      - 'githubusercontent.com'
  condition: selection
falsepositives:
  - Legitimate developer workflows using npm scripts to fetch specific github releases (rare in production).
level: high
---
title: Packagist Supply Chain - Suspicious Binary Execution via NPM
id: 3a8c2d19-7b4e-4c3d-9e0f-1a2b3c4d5e6f
status: experimental
description: Detects execution of binaries located in temporary or download directories immediately following an npm process, common in this supply chain attack.
references:
  - https://attack.mitre.org/techniques/T1059/
author: Security Arsenal
date: 2026/05/12
tags:
  - attack.execution
  - attack.t1059
logsource:
  category: process_creation
  product: linux
detection:
  selection_parent:
    ParentImage|endswith:
      - '/node'
      - '/npm'
  selection_child:
    Image|contains:
      - '/tmp/'
      - '/var/tmp/'
      - '/downloads/'
  condition: selection_parent and selection_child
falsepositives:
  - Legitimate build tools compiling assets in temp directories.
level: medium

KQL (Microsoft Sentinel / Defender)

KQL — Microsoft Sentinel / Defender
// Hunt for Node.js processes spawning curl/wget to GitHub
DeviceProcessEvents
| where Timestamp > ago(7d)
| where InitiatingProcessFileName in ('node', 'npm', 'npx')
| where FileName in ('curl', 'wget')
| where ProcessCommandLine has 'github.com' or ProcessCommandLine has 'githubusercontent.com'
| project Timestamp, DeviceName, AccountName, InitiatingProcessFileName, FileName, ProcessCommandLine, FolderPath
| extend FileHash = SHA1

Velociraptor VQL

VQL — Velociraptor
-- Hunt for package. files containing postinstall scripts referencing GitHub
SELECT FullPath, String.Data AS Content
FROM glob(globs='/**/package.')
WHERE read_file(filename=FullPath, length=100000) =~ 'postinstall'
  AND read_file(filename=FullPath, length=100000) =~ 'github\.com'

-- Hunt for Node processes spawning network tools
SELECT Pid, Name, CommandLine, Exe, Parent.Pid AS ParentPid, Parent.Name AS ParentName
FROM pslist()
WHERE Parent.Name IN ('node', 'npm')
  AND Name IN ('curl', 'wget', 'sh', 'bash')
  AND CommandLine =~ 'github'

Remediation Script (Bash)

Bash / Shell
#!/bin/bash

# Audit Script: Detects malicious package. injection in PHP/Composer projects
# Usage: ./audit_packagist.sh /path/to/project/root

echo "[*] Starting audit for Packagist Supply Chain Indicators..."
echo "[*] Scanning for package. files..."

# Find all package. files recursively
find "$1" -type f -name "package." -print0 | while IFS= read -r -d $'\0' file; do
    # Check for 'postinstall' scripts
    if grep -qi '"postinstall"' "$file"; then
        # Check if postinstall references external URLs (github.com)
        if grep -A 5 '"postinstall"' "$file" | grep -qi 'github'; then
            echo "[!] SUSPICIOUS: Potential malicious payload found in: $file"
            echo "[!] Content snippet:"
            grep -A 5 '"postinstall"' "$file"
        fi
    fi
done

echo "[*] Audit complete."
echo "[*] Recommendation: Review composer.lock and vendor/ directories for unexpected dependencies."

Remediation

  1. Immediate Action:

    • Identify and remove the 8 compromised packages listed in the Socket advisory.
    • Invalidate any build artifacts generated during the compromise window. Assume CI/CD runners or developer workstations that processed these packages are infected.

  2. Vendor Review:

    • Update composer. to pin specific, verified versions of dependencies. Avoid wildcard ranges (*, >, >=) where possible to prevent dependency confusion.
    • Review the composer.lock file to ensure no unexpected packages have been introduced.

  3. SCA Configuration:

    • Update your Software Composition Analysis (SCA) policies to explicitly scan package. files within non-Node.js projects (e.g., PHP, Python, Java repositories).

  4. Network Hardening:

    • Restrict outbound internet access from build agents. Allowlist specific domains (e.g., repo.packagist.org, github.com strictly for git operations) and block direct access to github.com/releases or raw.githubusercontent.com from build pipelines unless strictly necessary.

  5. Investigation:

    • If a compromise is confirmed, treat the host as a foothold. The Linux binary downloaded establishes persistence. Conduct a full forensic sweep (memory analysis, cron jobs, systemd services) on affected Linux endpoints.

Related Resources

Security Arsenal Penetration Testing Services AlertMonitor Platform Book a SOC Assessment vulnerability-management Intel Hub

sigma-rulekql-detectionthreat-huntingdetection-engineeringsiem-detectionpackagistsupply-chainlinux-malware

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action