Supply Chain Alert: Coordinated Attack Exploits Hybrid PHP/JS Ecosystems via Malicious Post-Install Hooks
Security researchers have identified a sophisticated supply chain campaign where attackers deploy a Linux-based payload disguised as a legitimate SSH service. This attack specifically targets the intersection of PHP and JavaScript development environments, leveraging the automated workflows of modern package managers to achieve remote code execution (RCE).
The technical crux of the exploit lies in its strategic placement. While many security audits focus on composer.json for PHP-based dependency analysis, the attackers embedded a malicious postinstall script within package.json. This subtle shift allows the payload to bypass traditional PHP-centric dependency reviews, executing automatically when a developer runs npm install within a project containing these compromised files.
Upon execution, the script initiates a multi-stage infection process:
- Remote Fetching: It utilizes
curlwith the-k(insecure) flag to download a binary from an attacker-controlled GitHub Releases URL, intentionally bypassing TLS certificate verification. - Masquerading: The binary is written to
/tmp/.sshd. By adopting this filename, the malware attempts to blend into the process list, mimicking a standard SSH daemon to evade casual inspection by system administrators. - Persistence and Stealth: The script applies executable permissions via
chmod +xand launches the process in the background (&), while redirecting errors to ensure the terminal remains silent and the developer remains unaware of the breach.
Analysis by Socket revealed that eight compromised Packagist packages were directly implicated, specifically those tied to volatile development branches such as dev-main and dev-master. High-profile Laravel starter kits, including devdojo/wave and devdojo/genesis, were among the affected repositories, potentially exposing thousands of downstream installations.
The scale of the operation is significant. A broader investigation into the attacker’s GitHub footprint—specifically the account parikhpreyash4—uncovered hundreds of repositories containing similar payload structures. This suggests a highly organized infrastructure rather than a series of isolated, opportunistic compromises.
Deep Dive: Exploiting Branch-Tracking and CI/CD Pipelines
The investigation highlights a critical vulnerability in how developers consume “bleeding edge” dependencies. By targeting branch-tracking versions (like dev-main) rather than immutable semantic version tags, attackers can inject malicious commits into a repository and later revert them, making the compromise difficult to audit after the fact.
Furthermore, the threat actors expanded their attack surface beyond local developer machines by compromising GitHub Actions workflows. Malicious steps were cleverly disguised under innocuous labels such as “Dependency Cache Sync,” ensuring the payload would execute within the automated CI/CD pipelines used for build and deployment processes.

This dual-vector approach—targeting both the local development environment via npm and the production pipeline via GitHub Actions—maximizes the likelihood of the payload reaching a high-value production server.
Risk Assessment and Mitigations
The risk is highest for “Starter Kits” and boilerplate projects. Because these projects place the compromised package.json at the project root, the postinstall hook triggers immediately during initial setup. This is a stark contrast to deep-level library dependencies, which are often nested within the vendor/ directory and may not trigger top-level lifecycle scripts as readily.
To harden your development environment and CI/CD pipelines, we recommend the following technical controls:
- Enforce Version Pinning: Avoid using branch-tracking versions (e.g.,
dev-master) in production environments. Always use specific, immutable version tags. - Comprehensive Auditing: Extend security scans to include both
composer.jsonandpackage.jsonfiles. - Implement SCA Tools: Utilize Software Composition Analysis (SCA) tools capable of detecting anomalous lifecycle script behavior.
- Network Egress Monitoring: Monitor and restrict unexpected outbound network calls from build servers and developer workstations during installation phases.
- CI/CD Integrity: Regularly audit GitHub Action YAML files for unauthorized
curlorwgetcommands.
Indicators of Compromise (IoCs)
Security teams should monitor for the following artifacts during incident response:
- Malicious GitHub Account:
parikhpreyash4 - Associated Repository:
parikhpreyash4/systemd-network-helper-aa5c751f - Known Payload URL:
https://github.com/parikhpreyash4/systemd-network-helper-aa5c751f/releases/latest/download/gvfsd-network - Target File Path:
/tmp/.sshd - Suspicious Command Strings:
curl -skLchmod +x /tmp/.sshd/tmp/.sshd &
Note: For safety, network indicators have been provided in plain text. Please re-fang these indicators (e.g., adding [.]) before ingesting them into threat intelligence platforms like MISP or SIEM systems.