Several GitHub-hosted JavaScript projects were modified to include a malicious postinstall entry in package.json, turning routine dependency installation into unauthorized code execution. Commits affecting repositories including thedevdojo/genesis, katanaui/katana, and baskarcm/tzi-chat-ui added a script that used curl with certificate checks disabled to fetch a binary named gvfsd-network from a GitHub Releases page tied to parikhpreyash4/systemd-network-helper-aa5c751f, save it as /tmp/.sshd, mark it executable, and run it in the background. The pattern indicates a supply-chain style compromise designed to hide a backdoor inside otherwise ordinary dependency or build changes.
Other repositories moved quickly to remove the payload, with commits in elitedevsquad/sidecar-laravel and katanaui/katana explicitly reverting the suspicious postinstall logic while preserving legitimate build scripts. The repeated use of the same download URL, filename, and execution flow across unrelated projects suggests a coordinated campaign rather than isolated developer error. Separately, CISA added CVE-2026-48172 in the LiteSpeed cPanel Plugin to its Known Exploited Vulnerabilities catalog, but the dominant event across the referenced code changes was the discovery and rollback of a malicious package-install backdoor hosted through GitHub infrastructure.

Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
3 events from the most recent confirmed update back to the earliest known activity.
On 2026-05-26, CISA updated its Known Exploited Vulnerabilities Catalog to add CVE-2026-48172, a privilege escalation vulnerability in the LiteSpeed cPanel Plugin. CISA said any cPanel user account could abuse the plugin to execute arbitrary scripts with root privileges and advised organizations to apply mitigations or discontinue use if none are available.
Also on 2026-05-22, follow-up commits in repositories including elitedevsquad/sidecar-laravel and katanaui/katana removed the same malicious postinstall command from package.json. The reversions indicate detection and cleanup of unauthorized code execution logic embedded in package installation scripts.
On 2026-05-22, suspicious commits added npm postinstall scripts to repositories including thedevdojo/genesis, katanaui/katana, and baskarcm/tzi-chat-ui. The script downloaded a binary named gvfsd-network from a GitHub Releases URL, saved it as /tmp/.sshd, made it executable, and launched it in the background, indicating a likely supply-chain compromise.
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
6 references tracked. Mallory keeps watching after this page renders.
github.com
Open sourcegithub.com
Open sourcegithub.com
Open sourcegithub.com
Open sourcegithub.com
Open sourcegithub.com
Open sourceMap indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.