Code security company SonarSource has published details on a severe vulnerability impacting Packagist, which could have been abused to mount supply chain attacks targeting the PHP community. Packagist is the default repository for PHP dependency manager Composer, aggregating public PHP packages that can be installed using Composer. Each month, Composer is used to download more than 2 billion packages. According to Sonar’s security researchers, the recently identified vulnerability could have been used to hijack over 100 million requests to distribute malicious dependencies, leading to the potential compromise of millions of servers. More information: https://www.securityweek.com/critical-packagist-vulnerability-could-have-allowed-php-supply-chain-attack
The opinions expressed in this post belongs to the individual contributors and do not necessarily reflect the views of Information Security Buzz.