In a bug report, Packagist reveals that an attacker gained access to four inactive accounts on the platform to hijack over a dozen packages.
The attacker forked each of the packages and replaced the composer’s description in composer.json with their own message, but did not otherwise make malicious changes.
Successful exploitation meant that developers downloading the packages would get the forked version as opposed to the actual contents.
Packagist said that no additional malicious changes were distributed, and that all the accounts were disabled and their packages restored on May 2, 2023.PHP software package repository PackagIST revealed that an ‘attacker’ gained access.
to four idle accounts on thoses platform to hijacked over twelve packages with over 500 million installs to date.
The attacker forkened each of these packages and removed the composer.’s name and some of the instructions but made no other malicious changes, Packagists Nils Adermann said.
๐ Feeling the vibes?
Keep the good energy going by checking out my Amazon affiliate link for some cool finds! ๐๏ธ
If not, consider contributing to my caffeine supply at Buy Me a Coffee โ๏ธ.
Your clicks = cosmic support for more awesome content! ๐๐
Leave a Reply