Packagist links to, but doesn’t itself keep copies of, the code you need to download. This helps avoid the problem of “version drift” between the source code control system and the packaging system.
A recent attack on Packagist used old and inactive accounts, for which the login passwords had been acquired, to tweak the packages in the Packagist system to point to cloned GitHub repositories. The hacker then modified the composer.json
files to include a message soliciting employment. All unauthorised changes have now been reverted.
To prevent such attacks, it is important to avoid leaving unused accounts active, not to re-use passwords on more than one account, and to turn on 2FA. It is also important not to blindly accept supply-chain updates without reviewing them for correctness.
In summary, Packagist is a useful repository for PHP coders, but it is important to take precautions to avoid account breaches and to review updates carefully.