A GitHub commit in the r2luna/brain repository removed a suspicious postinstall entry from package.json after it was found downloading and executing an external binary during dependency installation. The deleted script used curl -skL to fetch a file named gvfsd-network from a GitHub Releases URL tied to parikhpreyash4/systemd-network-helper-aa5c751f, saved it as /tmp/.sshd, marked it executable, and launched it in the background. The rest of the project scripts were routine VitePress documentation commands, making the postinstall behavior stand out as an apparent supply-chain compromise designed to run unauthorized code on developer or build systems.
Separate CISA Known Exploited Vulnerabilities catalog updates during the same period added and refined entries for actively exploited flaws, including CVE-2026-31431 in the Linux kernel and a PAN-OS out-of-bounds write affecting the User-ID Authentication Portal. CISA said the Linux kernel flaw could enable privilege escalation and assigned federal remediation deadlines, while later catalog changes corrected its CWE mapping. Another update noted Palo Alto Networks had released multiple patches for the PAN-OS issue, which can allow unauthenticated remote code execution with root privileges on affected PA-Series and VM-Series firewalls.

Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
11 events from the most recent confirmed update back to the earliest known activity.
A GitHub commit removed a suspicious postinstall script from thedevdojo/genesis package configuration. The deleted script used curl to download a binary from a GitHub Releases URL to /tmp/.sshd, made it executable, and launched it in the background, indicating cleanup of a malicious supply-chain modification.
A GitHub commit removed a suspicious postinstall script from thedevdojo/wave package configuration. The deleted script used curl to fetch a binary from a GitHub Releases URL, saved it as /tmp/.sshd, made it executable, and launched it in the background, indicating a malicious supply-chain modification.
A GitHub commit removed a suspicious postinstall script from the project's package.json. The deleted script downloaded a binary from a GitHub Releases URL, saved it as /tmp/.sshd, made it executable, and launched it in the background, indicating a malicious supply-chain modification.
A GitHub commit for moritz-sauer-13/silverstripe-cms-theme added a suspicious postinstall script to package configuration. The script downloaded a binary from a GitHub Releases URL to /tmp/.sshd, marked it executable, and launched it in the background, indicating a likely supply-chain compromise.
A GitHub commit for crosiersource/crosierlib-base added a suspicious postinstall script to package metadata. The script used curl with certificate checks disabled to download a binary from a GitHub Releases URL to /tmp/.sshd, mark it executable, and run it in the background, indicating a likely supply-chain compromise.
A GitHub commit for thedevdojo/wave project added a suspicious postinstall script to package metadata. The script used curl to download a binary from a GitHub Releases URL to /tmp/.sshd, made it executable, and launched it in the background, indicating a likely supply-chain compromise.
A GitHub commit for r2luna/brain added a suspicious postinstall script to package metadata. The script used curl with certificate validation disabled to download a binary from GitHub Releases to /tmp/.sshd, mark it executable, and run it in the background, indicating a likely supply-chain compromise.
A GitHub commit for the npm package @elitedevsquad/sidecar-laravel added a suspicious postinstall script to package metadata. The script used curl with certificate checks disabled to download a binary from GitHub Releases to /tmp/.sshd, mark it executable, and run it in the background, indicating a likely supply-chain compromise.
Palo Alto Networks released multiple patches for a PAN-OS out-of-bounds write vulnerability in the User-ID Authentication Portal that can enable unauthenticated remote code execution with root privileges on PA-Series and VM-Series firewalls. This patch release was later reflected in a CISA KEV catalog update.
CISA updated the KEV entry for CVE-2026-31431 to change its CWE classification from CWE-699 to CWE-669. The catalog's total vulnerability count did not change during this correction.
CISA added CVE-2026-31431, an incorrect resource transfer between spheres vulnerability in the Linux kernel that could allow privilege escalation, to its Known Exploited Vulnerabilities catalog. The entry set a remediation due date of 2026-05-15 and increased the catalog count from 1,586 to 1,587.
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
11 references tracked. Mallory keeps watching after this page renders.
github.com
Open sourcegithub.com
Open sourcegithub.com
Open sourcegithub.com
Open sourcegithub.com
Open sourcegithub.com
Open sourcegithub.com
Open sourcegithub.com
Open sourceMap indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.