A new « coordinated » supply chain attack campaign has impacted eight packages on Packagist including malicious code designed to run a Linux binary retrieved from a GitHub Releases URL.
« Although the affected packages were all Composer packages, the malicious code was not added to composer.json, » Socket said. « Instead, it was inserted into package.json, targeting projects that ship JavaScript