{ "title": "Packagist GitHub Postinstall Hook Malware Campaign", "summary": "A campaign inserted malicious package.json postinstall hooks into Packagist-linked GitHub repositories, causing npm install workflows to download and execute a GitHub Releases binary as /tmp/.sshd.", "date": "2026-05-24", "severity": "high", "tags": [ "supply-chain", "packagist", "github", "npm", "postinstall" ], "sources_count": 5, "indicators": { "slug": "packagist-github-postinstall-hook-campaign", "since": "2026-05-24T00:00:00Z", "until": "2026-05-24T23:59:59Z", "ecosystem": "composer/packagist with npm lifecycle execution packagist and github", "cves": [], "cwes": [], "advisoryIds": [], "products": [], "packages": [ "moritz-sauer-13/silverstripe-cms-theme", "crosiersource/crosierlib-base", "devdojo/wave", "devdojo/genesis", "katanaui/katana", "elitedevsquad/sidecar-laravel", "r2luna/brain", "baskarcm/tzi-chat-ui" ], "versions": [ "dev-main", "dev-master", "3.x-dev", "moritz-sauer-13/silverstripe-cms-theme dev-master", "crosiersource/crosierlib-base dev-master", "devdojo/wave dev-main", "devdojo/genesis dev-main", "katanaui/katana dev-main", "elitedevsquad/sidecar-laravel 3.x-dev", "r2luna/brain dev-main", "baskarcm/tzi-chat-ui dev-main" ], "affectedVersions": [], "fixedVersions": [], "files": [ "package.json", "/tmp/.sshd" ], "paths": [], "services": [], "domains": [ "github.com" ], "urls": [ "https://github.com/parikhpreyash4/systemd-network-helper-aa5c751f/releases/latest/download/gvfsd-network" ], "ips": [], "hashes": [], "processPatterns": [ "curl -skL ... -o /tmp/.sshd", "chmod +x /tmp/.sshd", "/tmp/.sshd running in background" ], "networkPatterns": [ "download of gvfsd-network from parikhpreyash4/systemd-network-helper-aa5c751f" ], "telemetrySelectors": [] } }