Find notable cyber news and cases, enriched with sources, timelines, and signals.

Packagist package.json hook supply chain attack campaign

Campaign
First reported
Last updated
Happening score
H score 39
1 unique sources, 1 articles

Summary

Hide ▲

A coordinated supply chain attack campaign compromised eight Packagist packages, creating repeat execution risk for projects that install the affected versions. The malicious code hid in package.json lifecycle hooks rather than composer metadata, which could evade PHP-focused review. The installer then fetched a Linux binary from GitHub Releases, saved it as /tmp/.sshd, and ran it in the background.

Related Happenings

GitHub npm v12 hardens install-time dependency execution and source resolution

Security Tool/Service
H score11 First: 10.06.2026 22:41 Last: 10.06.2026 22:41 Sources 1

About this happening: **GitHub** is tightening **npm v12** next month by blocking automatic dependency install scripts and non-registry sources, reducing supply-chain attack paths triggered by **npm in...

TrapDoor trap-core.js credential-stealing package malware

Malware Activity
H score34 First: 25.05.2026 08:59 Last: 25.05.2026 08:59 Sources 1

About this happening: The **TrapDoor** package malware is spreading across **npm, PyPI, and Crates.io**, putting **developer secrets, cloud credentials, SSH keys, and crypto wallets** at risk. The malw...

TrapDoor cross-ecosystem supply-chain campaign

Campaign
H score38 First: 25.05.2026 08:59 Last: 25.05.2026 08:59 Sources 1

About this happening: The **TrapDoor** supply-chain campaign has expanded across **npm, PyPI, and Crates.io**, using **34+ malicious packages** to steal developer secrets and credentials. The operation...

Laravel Lang credential-stealer dropper delivered through malicious Composer packages

Malware Activity
H score22 First: 23.05.2026 23:48 Last: 23.05.2026 23:48 Sources 1

About this happening: A **malicious Composer payload** in **Laravel Lang** packages now threatens **Linux, macOS, and Windows** developers with credential theft. The injected `src/helpers.php` dropper...

Laravel Lang organization hit by network compromise

Incident
H score14 First: 23.05.2026 23:48 Last: 23.05.2026 23:48 Sources 1

About this happening: The **Laravel Lang organization** suffered a **repository compromise** that let attackers rewrite **GitHub tags** and ship malicious code through **Composer** installs. The affect...

Timeline

  1. 23.05.2026 19:07 2 articles · 1mo ago

    Packagist supply chain campaign disclosed

    Initial Disclosure

    A coordinated supply chain campaign targeted eight Packagist packages by placing malicious code in package.json lifecycle hooks instead of composer.json, using postinstall scripts to download a Linux binary from a GitHub Releases URL, save it as /tmp/.sshd, grant execute permissions, and run it in the background. The affected packages were later removed from Packagist, and related references to the same payload were also found across 777 GitHub files and in at least two GitHub Actions workflows, indicating broader reuse of the malicious installer.

    Show sources