Skip to content

PHP Packagist supply chain poisoned by hacker “looking for a job” – Naked Security

is a repository where community contributors can publish details of PHP packages they’ve created, making it easy for fellow PHP coders to get hold of library code they want to use in their own projects, and to keep that code up to date automatically if they wish.

Packagist links to, but doesn’t itself keep copies of, the code you need to download. This helps avoid the problem of “version drift” between the source code control system and the packaging system.

A recent attack on Packagist used old and inactive accounts, for which the login passwords had been acquired, to tweak the packages in the Packagist system to point to cloned GitHub repositories. The hacker then modified the composer.json files to include a message soliciting employment. All unauthorised changes have now been reverted.

To prevent such attacks, it is important to avoid leaving unused accounts active, not to re-use passwords on more than one account, and to turn on 2FA. It is also important not to blindly accept supply-chain updates without reviewing them for correctness.

In summary, Packagist is a useful repository for PHP coders, but it is important to take precautions to avoid account breaches and to review updates carefully.

Leave a Reply

Your email address will not be published. Required fields are marked *