On May 1st, 2023 between 3:08pm UTC and 4:05pm UTC an attacker accessed four user accounts that had been inactive on Packagist.org for a period of time but still had access to a total of 14 packages. The attacker forked each of the packages and replaced the package description in composer.json with their own message but did not otherwise make any malicious changes.
On May 2nd, at 7:21 am UTC we were notified by Juha Suni about the change of URL to multiple Doctrine packages. Together with Marco Pivetta (Ocramius) we promptly identified all accessed accounts, disabled access to them and restored the URLs to their previous values.
Please note that Packagist.org is only a metadata server and package contents are downloaded from a location chosen by the package maintainers.