A recent coordinated supply chain attack has compromised eight PHP packages on Packagist, embedding malicious code that downloads and executes a Linux binary from a GitHub repository. This attack highlights the evolving tactics of threat actors targeting open-source ecosystems.
Malicious Code Embedded in JavaScript Files
According to Socket, the malicious code was inserted into the package.json files of the affected packages, rather than the typical composer.json. This approach targets projects that incorporate JavaScript build tools alongside PHP code, potentially bypassing security scans focused solely on PHP dependencies.
Details of the Attack
The compromised packages include:
- moritz-sauer-13/silverstripe-cms-theme (dev-master)
- crosiersource/crosierlib-base (dev-master)
- devdojo/wave (dev-main)
- devdojo/genesis (dev-main)
- katanaui/katana (dev-main)
- elitedevsquad/sidecar-laravel (3.x-dev)
- r2luna/brain (dev-main)
- baskarcm/tzi-chat-ui (dev-main)
In these packages, a post-installation script was added to the package.json file. This script attempts to download a Linux binary from a GitHub Releases URL, save it to the /tmp/.sshd directory, modify its permissions to make it executable, and run it in the background. The GitHub repository hosting the binary has since been removed, making it difficult to analyze the payload’s exact nature.
Further investigation by Socket revealed references to the same payload across 777 files on GitHub, indicating a potentially broader campaign. In some instances, the malicious code was embedded in GitHub workflow files, suggesting multiple execution mechanisms were employed.
As reported by The Hacker News, the choice of the name “gvfsd-network” for the malware is notable, as it refers to a GNOME Virtual File System daemon responsible for managing network shares. This naming could be an attempt to disguise the malicious activity.
While the second-stage binary’s specifics remain unknown, the installer itself poses a significant threat. It provides remote code execution capabilities during installation or build processes and attempts to conceal its actions by disabling TLS verification, suppressing errors, and running the downloaded binary in the background.
This incident underscores the importance of comprehensive security practices in software development. Developers should scrutinize all dependencies, including those that may seem peripheral, and implement robust monitoring to detect unusual behaviors. The cross-ecosystem nature of this attack serves as a reminder that security measures must encompass the entire development stack to effectively mitigate risks.
Source: The Hacker News
