Cross-Language Contamination: When Composer Packages Ship package. Payloads
Just caught the report on the latest coordinated supply chain attack hitting Packagist. While the GitHub-hosted Linux binary payload is concerning, the infection vector is what really stuck out to me.
We typically focus our SBOM analysis on composer. for PHP projects, but in this campaign, the malicious code was injected into package. files inside the affected packages. This suggests the attackers are specifically targeting hybrid environments where PHP projects might be pulling in frontend assets or running npm scripts alongside Composer.
If your build pipeline runs npm install or npm run build within your vendor directory, you might be executing this malware.
Immediate Detection Steps
I recommend auditing your vendor directories for the presence of package. files where they shouldn't be, and scanning for external binary calls. You can use this quick grep command to hunt for suspicious GitHub release URLs in non-standard locations:
find ./vendor -name "package." -type f -exec grep -l "releases/download" {} \;
Additionally, ensure your CI/CD pipelines restrict outbound traffic to unknown GitHub repositories.
Discussion
How is everyone handling dependency validation in polyglot projects? Are you treating the vendor directory as potentially executable for all languages, or do you strictly separate your JS and PHP build steps?
This is a solid point. In our environment, we actually prevent any execution of npm or node within the PHP vendor directory using explicit deny policies in our OpenPolicyAgent (OPA) gate.
If you're relying solely on composer.lock integrity checks, you're blind to this specific vector because composer. wasn't tampered with. I'd suggest adding a SAST step that specifically scans for file type anomalies, like finding JSON files associated with a different package manager.
Great catch on the build process angle. We've been moving towards ephemeral build containers that have no write access to the underlying vendor directory other than the specific package manager being run.
Also, check your .npmignore or .gitignore files if you're publishing packages. Sometimes these artifacts get included accidentally by devs, providing a perfect hiding spot for malware like this.
The use of GitHub Releases to host the Linux binary is a smart evasion tactic. It bypasses a lot of traditional IP reputation blocks since github.com is whitelisted everywhere.
For detection, we started hunting for processes spawned by the www-data user that are making direct network connections to non-CDN endpoints. It usually flags these kinds of webshells or droppers pretty quickly.
Verified Access Required
To maintain the integrity of our intelligence feeds, only verified partners and security professionals can post replies.
Request Access