Get the latest Laravel/PHP jobs, events and curated articles straight to your inbox, once a week
Source: blog.packagist.com
Packagist.org maintainer account takeover
On May 1st, 2023 between 3:08pm UTC and 4:05pm UTC an attacker accessed four user accounts that had been inactive on Packagist.org for a period of time but still had access to a total of 14 packages. The attacker forked each of the packages and replaced the package description in composer.json with their own message but did not otherwise make any malicious changes.
On May 2nd, at 7:21 am UTC we were notified by Juha Suni about the change of URL to multiple Doctrine packages. Together with Marco Pivetta (Ocramius) we promptly identified all accessed accounts, disabled access to them and restored the URLs to their previous values.
Please note that Packagist.org is only a metadata server and package contents are downloaded from a location chosen by the package maintainers.
On May 2nd, at 7:21 am UTC we were notified by Juha Suni about the change of URL to multiple Doctrine packages. Together with Marco Pivetta (Ocramius) we promptly identified all accessed accounts, disabled access to them and restored the URLs to their previous values.
Please note that Packagist.org is only a metadata server and package contents are downloaded from a location chosen by the package maintainers.
Newsletter
Glimpse
Glimpse streamlines Laravel development by seamlessly deploying GitHub pull requests to preview environments with the help of Laravel Forge.
Community Partners
Laravel/PHP Careers