PHP Packagist supply chain poisoned by hacker “looking for a job”

By Paul Ducklin — May 5^th 2023 at 16:59

I pwned you! Gizza job! You know it makes sense!

The Hacker News

Packagist Repository Hacked: Over a Dozen PHP Packages with 500 Million Installs Compromised

By Ravie Lakshmanan — May 5^th 2023 at 09:52

PHP software package repository Packagist revealed that an "attacker" gained access to four inactive accounts on the platform to hijack over a dozen packages with over 500 million installs to date. "The attacker forked each of the packages and replaced the package description in composer.json with their own message but did not otherwise make any malicious changes," Packagist's Nils Adermann said

The Hacker News

Researchers Report Supply Chain Vulnerability in Packagist PHP Repository

By Ravie Lakshmanan — October 4^th 2022 at 15:09

Researchers have disclosed details about a now-patched high-severity security flaw in Packagist, a PHP software package repository, that could have been exploited to mount software supply chain attacks. "This vulnerability allows gaining control of Packagist," SonarSource researcher Thomas Chauchefoin said in a report shared with The Hacker News. Packagist is used by the PHP package manager

FreshRSS

PHP Packagist supply chain poisoned by hacker “looking for a job”

Packagist Repository Hacked: Over a Dozen PHP Packages with 500 Million Installs Compromised

Researchers Report Supply Chain Vulnerability in Packagist PHP Repository