Packagist.org maintainer account takeover

Source: blog.packagist.com

Packagist.org maintainer account takeover
On May 1st, 2023 between 3:08pm UTC and 4:05pm UTC an attacker accessed four user accounts that had been inactive on Packagist.org for a period of time but still had access to a total of 14 packages. The attacker forked each of the packages and replaced the package description in composer.json with their own message but did not otherwise make any malicious changes.

On May 2nd, at 7:21 am UTC we were notified by Juha Suni about the change of URL to multiple Doctrine packages. Together with Marco Pivetta (Ocramius) we promptly identified all accessed accounts, disabled access to them and restored the URLs to their previous values.

Please note that Packagist.org is only a metadata server and package contents are downloaded from a location chosen by the package maintainers.
Read Full Article On blog.packagist.com
Achieve superior email deliverability with ToastMail! Our AI-driven tool warms up inboxes, monitors reputation, and ensures emails reach their intended destination. Sign up today for a spam-free future.
Newsletter

Get the latest Laravel/PHP jobs, events and curated articles straight to your inbox, once a week

Fathom Analytics | Fast, simple and privacy-focused website analytics.

Fathom Analytics

Fathom Analytics | Fast, simple and privacy-focused website analytics.
Achieve superior email deliverability with ToastMail! Our AI-driven tool warms up inboxes, monitors reputation, and ensures emails reach their intended destination. Sign up today for a spam-free future.

ToastMail

Achieve superior email deliverability with ToastMail! Our AI-driven tool warms up inboxes, monitors reputation, and ensures emails reach their intended destination. Sign up today for a spam-free future.
Community Partners
Autonomous.ai | Best Standing Desks & Ergonomic Office Chairs

Digital Ocean

Koho

Become a Partner?
Laravel/PHP Careers
    • Add a Job?