Malicious Postinstall Hook Found in 700+ GitHub Repositories Affecting Node.js and PHP Supply Chains
Tags OSS · Enterprise · AI
Socket researchers discovered a coordinated supply chain attack injecting a malicious postinstall hook into 700+ GitHub repos, affecting 8 PHP Composer packages on Packagist. The malicious script downloads a binary 'gvfsd-network' from GitHub Releases to '/tmp/.sshd' and executes it in the background using curl with TLS verification disabled. Affected packages include moritz-sauer-13/silverstripe-cms-theme, crosiersource/crosierlib-base, devdojo/wave, and others.
Technical significance
The scale of this supply chain attack (700+ repos) demonstrates that postinstall hooks remain a largely unmonitored attack vector. Organizations relying on Composer or npm packages should audit dependency trees for unauthorized postinstall scripts, and package managers should implement stricter sandboxing of lifecycle hooks.