Executive Summary
Socket reported a supply-chain campaign in which GitHub repositories behind Packagist packages contained a malicious package.json postinstall hook. Eight Packagist packages were confirmed Socket opens in a new tab. Following disclosure, Packagist removed the affected package entries and revoked compromised credentials Packagist opens in a new tab, while the GitHub Security Advisory database cataloged the incident to alert downstream developers GHSA opens in a new tab. Broader GitHub search results showed hundreds of references to the same attacker-controlled payload pattern.
The confirmed first stage downloads gvfsd-network from a GitHub Releases URL under parikhpreyash4/systemd-network-helper-aa5c751f, writes it to /tmp/.sshd, marks it executable, and launches it in the background Socket opens in a new tab. While the initial Socket review did not obtain the second-stage payload, a subsequent deep reverse-engineering of the /tmp/.sshd compiled Go ELF binary revealed C2 beaconing loop structures and active persistence techniques Gridinsoft opens in a new tab. Developers must implement secure hybrid configurations to protect multi-ecosystem development workflows Daily.dev opens in a new tab.