PHP software package repository Packagist revealed that an "attacker" gained access to four inactive accounts on the platform to hijack over a dozen packages with over 500 million installs to date.
"The attacker forked each of the packages and replaced the package description inΒ composer.jsonΒ with their own message but did not otherwise make any malicious changes," Packagist's Nils AdermannΒ said
Researchers have disclosed details about a now-patched high-severity security flaw in Packagist, a PHP software package repository, that could have been exploited to mount software supply chain attacks.
"This vulnerability allows gaining control ofΒ Packagist," SonarSource researcher Thomas ChauchefoinΒ saidΒ in a report shared with The Hacker News. Packagist is used by the PHP package manager