Researchers have disclosed details about a now-patched high-severity security flaw in Packagist, a PHP software package repository, that could have been exploited to mount software supply chain attacks.
“This vulnerability allows gaining control of Packagist,” SonarSource researcher Thomas Chauchefoin said in a report shared with The Hacker News. Packagist is used by the PHP package manager Composer to determine and download software dependencies that are included by developers in their projects.
The disclosure comes as planting malware in open source repositories is turning into an attractive conduit for mounting software supply chain attacks.
Comments are closed.