Last updated: July 5, 2026 at 9:01 AM UTC
All 557 Vulnerability 199 Breach 106 Threat 245 Defense 7
Tag: php (2 articles)Clear

Packagist supply-chain attack hits 8 Composer packages with cross-ecosystem package.json hook downloading Linux binary to /tmp/.sshd

Socket has detailed a coordinated supply-chain campaign that planted malicious code in eight Composer packages on Packagist, including moritz-sauer-13/silverstripe-cms-theme, crosiersource/crosierlib-base, devdojo/wave, devdojo/genesis, katanaui/katana, elitedevsquad/sidecar-laravel, r2luna/brain, and baskarcm/tzi-chat-ui. The attackers placed the payload not in composer.json but in package.json - meaning teams scanning only PHP dependencies would miss the Node.js lifecycle hook bundled inside. The postinstall script downloads a Linux binary from a GitHub Releases URL (github[.]com/parikhpreyash4/systemd-network-helper-aa5c751f), saves it as /tmp/.sshd, and runs it backgrounded with execute permissions. Socket found the same payload referenced in 777 GitHub files, including two GitHub Actions workflows - hinting at a broader campaign.

Check
Audit composer.lock and package.json across PHP projects for the 8 affected packages installed since 2026-05-20. Block egress to github[.]com/parikhpreyash4/* and check /tmp/.sshd presence on Linux build hosts.
Affected
Any project that installed moritz-sauer-13/silverstripe-cms-theme, crosiersource/crosierlib-base, devdojo/wave, devdojo/genesis, katanaui/katana, elitedevsquad/sidecar-laravel, r2luna/brain, or baskarcm/tzi-chat-ui via Composer. Hidden in package.json so PHP-only scanners miss it.
Fix
Roll affected packages back to clean versions; pin via composer.lock and package-lock.json. Rotate developer and CI credentials reachable from affected hosts. Scan PHP repos for package.json lifecycle hooks.

Laravel-Lang PHP packages compromised - autoload payload steals AWS, Azure, GCP, K8s, Vault, crypto wallets across Linux, macOS, Windows

Aikido Security and Socket have disclosed that several packages in the Laravel-Lang PHP ecosystem were compromised and used to ship a ~5,900-line PHP credential stealer that runs automatically the moment any consumer of the package boots. The dropper registers itself in composer.json under autoload.files, so no class instantiation or method call is needed - the payload triggers on every PHP request. It harvests AWS, Azure, GCP, Kubernetes, HashiCorp Vault, Jenkins, GitLab, GitHub Actions, CircleCI, browser data, password-manager vaults, SSH keys, crypto wallets, and VPN configs, then AES-encrypts the bundle and exfiltrates to flipboxstudio[.]info/exfil. The script then deletes itself to limit forensic recovery.

Check
Audit composer.lock files and Laravel deployments for any laravel-lang/* package installed since 2026-05-15. Search egress logs for traffic to flipboxstudio[.]info. Check src/helpers.php for unfamiliar code.
Affected
Any PHP application that pulled in a compromised laravel-lang package via Composer. The autoload trigger means the payload runs on every request, not just on first use.
Fix
Roll back to a known-clean laravel-lang version and pin via composer.lock. Rotate every cloud credential, SSH key, browser-stored token, and password-vault item reachable from affected hosts.