Imagine you are building a giant tower out of different sets of building blocks. You trust the boxes you bought from the store, but what if one small piece inside a box was designed to knock the whole tower down once you finished? This is exactly what happened in a recent “coordinated” supply chain attack. Hackers hid malicious code inside popular programming building blocks, specifically targeting developers who use both PHP and JavaScript. It is a very clever trick that every young coder needs to understand to keep their projects safe.
Modern software development often involves using many different languages at once. For example, a developer might use PHP to handle the logic of a website and JavaScript to make the website look pretty and interactive. These developers use “package managers” like Composer for PHP and NPM for JavaScript to download pre-written code. Usually, if a developer is working on a PHP project, they carefully check their PHP settings. However, the attackers in this campaign were very sneaky. They added malicious code to a file called package.json, which is used by JavaScript, even though the main project was written in PHP. This is known as “cross-ecosystem placement.” Because security experts were busy looking at the PHP side of things, they almost missed the trap hidden in the JavaScript side.
The way this attack works is quite technical but very interesting. When you install a JavaScript library, the package.json file can contain something called a “postinstall script.” This is a command that runs automatically as soon as the download is finished. In this specific attack, the script was designed to reach out to the internet and download a secret file from a GitHub repository. This file was a Linux binary—a type of program that a computer can run. The script would then save this program into a hidden folder called /tmp/.sshd, change its permissions using a command called chmod so it could be executed, and then run it quietly in the background where the developer couldn’t see it.
One of the most dangerous parts of this attack is how it tried to stay hidden. The hackers named their malicious program “gvfsd-network.” This name was chosen specifically because it looks like a real, boring part of a Linux computer’s system responsible for networking. If a developer looked at their computer’s list of running programs, they might see it and think it was just a normal part of the operating system. Furthermore, the malicious script was set up to disable “TLS verification.” Usually, when your computer talks to a website, it checks a “security certificate” to make sure the website is who they say they are. By disabling this, the hackers made it easier for their malware to download without being blocked by security software.
The attack didn’t just stop at individual computers; it also targeted “GitHub Actions.” These are automated systems that test and build code in the cloud. Because the malware was hidden in the workflow files, it could infect the very tools used to create and distribute software, potentially spreading the “infection” to even more people. Several packages were affected, including versions of Silverstripe, Wave, and Genesis. While these specific malicious versions have been removed from the public library called Packagist, the threat remains because the same bad code has been found in hundreds of other files across GitHub. This shows us that we must always be vigilant and check every part of our project, not just the parts we are currently working on.
To make sure your own projects are safe from these kinds of hidden threats, you should follow a strict routine when adding new tools to your code. It is not enough to just hope the code is safe; you must verify it yourself.
Inspect your dependency files manually. Before running an installation command, open the configuration files to see what they are doing.
- Open your project folder and locate the
package.jsonfile. - Scroll down to the section labeled
"scripts". - Look specifically for entries like
"preinstall","install", or"postinstall". - If you see any long strings of code that use commands like
curl,wget,chmod, orbash, and you didn’t put them there, do not run the installation.
Monitor your background processes. Regularly check what is running on your machine to ensure no “secret” programs are active.
- On a Linux or Mac computer, open the Terminal.
- Type the command
toporhtpand press Enter. - Look for strange names, especially ones like
gvfsd-networkor programs running from the/tmp/directory. - If you find something suspicious, you can stop it by finding its “PID” (Process ID) and typing
kill -9 [PID].
Use security scanning tools. There are professional tools designed to find these traps for you.
- Open your terminal in your project directory.
- For JavaScript files, type
npm auditand press Enter. This will check yourpackage.jsonagainst a list of known threats. - For PHP projects, use a tool like
local-php-security-checker. Run it by typing the command in your terminal to see if any of your Composer packages have known holes.
Audit your GitHub Workflows. If you use automation, check the instructions you gave the cloud.
- Go to your project on GitHub.com.
- Click on the folder named
.githuband then the folder namedworkflows. - Open each
.ymlfile and read the lines starting withrun:. - Ensure that no external scripts are being downloaded and executed during your build process without your permission.
Staying safe in the world of programming requires a mix of curiosity and caution. As you grow as a developer, you will learn that the “supply chain”—the code written by others that you use in your own work—is a very powerful tool, but it must be handled with care. This recent attack on Packagist and GitHub serves as a reminder that threats can come from unexpected directions, such as a JavaScript file hiding inside a PHP project. Always keep your tools updated, use security scanners, and never be afraid to look closely at the code you are downloading. By being careful today, you protect the amazing things you will build tomorrow.