PHP software deal repository Packagist revealed that an “attacker” gained entry to 4 inactive accounts on the platform to hijack about a dozen offers with over 500 million installs to date.
“The attacker forked each and every of the deals and changed the package description in composer.json with their possess message but did not usually make any destructive improvements,” Packagist’s Nils Adermann reported. “The package URLs were being then altered to place to the forked repositories.”
The 4 consumer accounts are explained to have had entry to a overall of 14 packages, like several Doctrine packages. The incident took spot on May 1, 2023. The comprehensive listing of impacted packages is as follows –

Protect your privacy by Mullvad VPN. Mullvad VPN is one of the famous brands in the security and privacy world. With Mullvad VPN you will not even be asked for your email address. No log policy, no data from you will be saved. Get your license key now from the official distributor of Mullvad with discount: SerialCart® (Limited Offer).
➤ Get Mullvad VPN with 12% Discount
- acmephp/acmephp
- acmephp/main
- acmephp/ssl
- doctrine/doctrine-cache-bundle
- doctrine/doctrine-module
- doctrine/doctrine-mongo-odm-module
- doctrine/doctrine-orm-module
- doctrine/instantiator
- growthbook/growthbook
- jdorn/file-method-cache
- jdorn/sql-formatter
- khanamiryan/qrcode-detector-decoder
- item-calisthenics/phpcs-calisthenics-rules
- tga/simhash-php
Security researcher Ax Sharma, composing for Bleeping Pc, uncovered that the variations were made by an nameless penetration tester with the pseudonym “neskafe3v1” in an try to land a job.
The attack chain, in a nutshell, built it doable to modify the Packagist page for each of these deals to a namesake GitHub repository, efficiently altering the set up workflow utilised in just Composer environments.
Profitable exploitation intended that developers downloading the deals would get the forked variation as opposed to the actual contents.
Packagist claimed that no supplemental destructive variations have been dispersed, and that all the accounts had been disabled and their offers restored on May 2, 2023. It really is also urging end users to allow two-factor authentication (2FA) to protected their accounts.
“All 4 accounts look to have been using shared passwords leaked in preceding incidents on other platforms,” Adermann famous. “Remember to, do not reuse passwords.”
The growth arrives as cloud security company Aqua identified 1000’s of exposed cloud application registries and repositories containing more than 250 million artifacts and about 65,000 container visuals.
The misconfigurations stem from mistakenly connecting registries to the internet, making it possible for nameless accessibility by layout, applying default passwords, and granting upload privileges to people that could be abused to poison the registry with destructive code.
“In some of these circumstances, anonymous consumer accessibility allowed a potential attacker to attain sensitive details, these kinds of as tricks, keys, and passwords, which could lead to a significant application source chain attack and poisoning of the software enhancement existence cycle (SDLC),” researchers Mor Weinberger and Assaf Morag disclosed late previous month.
Found this article exciting? Comply with us on Twitter and LinkedIn to examine much more exceptional articles we article.
Some areas of this post are sourced from:
thehackernews.com