{"id":147554,"date":"2022-10-04T23:23:23","date_gmt":"2022-10-05T04:23:23","guid":{"rendered":"https:\/\/lifeboat.com\/blog\/2022\/10\/researchers-report-supply-chain-vulnerability-in-packagist-php-repository"},"modified":"2022-10-04T23:23:23","modified_gmt":"2022-10-05T04:23:23","slug":"researchers-report-supply-chain-vulnerability-in-packagist-php-repository","status":"publish","type":"post","link":"https:\/\/lifeboat.com\/blog\/2022\/10\/researchers-report-supply-chain-vulnerability-in-packagist-php-repository","title":{"rendered":"Researchers Report Supply Chain Vulnerability in Packagist PHP Repository"},"content":{"rendered":"<p><\/p>\n<p><iframe style=\"display: block; margin: 0 auto; width: 100%; aspect-ratio: 4\/3; object-fit: contain;\" src=\"https:\/\/www.youtube.com\/embed\/6TzaVh-Ludw?feature=oembed\" frameborder=\"0\" allow=\"accelerometer; autoplay; encrypted-media; gyroscope;\n   picture-in-picture\" allowfullscreen><\/iframe><\/p>\n<p>Researchers have disclosed details about a now-patched high-severity security flaw in Packagist, a PHP software package repository, that could have been exploited to mount software supply chain attacks.<\/p>\n<p>\u201cThis vulnerability allows gaining control of <a href=\"https:\/\/packagist.org\/\" rel=\"noopener\" target=\"_blank\">Packagist<\/a>,\u201d SonarSource researcher Thomas Chauchefoin <a href=\"https:\/\/blog.sonarsource.com\/securing-developer-tools-a-new-supply-chain-attack-on-php\" rel=\"noopener\" target=\"_blank\">said<\/a> in a report shared with The Hacker News. Packagist is used by the PHP package manager Composer to determine and download software dependencies that are included by developers in their projects.<\/p>\n<p>The disclosure comes as planting malware in open source repositories is turning into an attractive conduit for mounting <a href=\"https:\/\/thehackernews.com\/2022\/09\/malicious-npm-package-caught-mimicking.html\" rel=\"noopener\" target=\"_blank\">software supply chain attacks<\/a>.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Researchers have disclosed details about a now-patched high-severity security flaw in Packagist, a PHP software package repository, that could have been exploited to mount software supply chain attacks. \u201cThis vulnerability allows gaining control of Packagist,\u201d SonarSource researcher Thomas Chauchefoin said in a report shared with The Hacker News. Packagist is used by the PHP package [\u2026]<\/p>\n","protected":false},"author":427,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[34],"tags":[],"class_list":["post-147554","post","type-post","status-publish","format-standard","hentry","category-cybercrime-malcode"],"_links":{"self":[{"href":"https:\/\/lifeboat.com\/blog\/wp-json\/wp\/v2\/posts\/147554","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/lifeboat.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/lifeboat.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/lifeboat.com\/blog\/wp-json\/wp\/v2\/users\/427"}],"replies":[{"embeddable":true,"href":"https:\/\/lifeboat.com\/blog\/wp-json\/wp\/v2\/comments?post=147554"}],"version-history":[{"count":0,"href":"https:\/\/lifeboat.com\/blog\/wp-json\/wp\/v2\/posts\/147554\/revisions"}],"wp:attachment":[{"href":"https:\/\/lifeboat.com\/blog\/wp-json\/wp\/v2\/media?parent=147554"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/lifeboat.com\/blog\/wp-json\/wp\/v2\/categories?post=147554"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/lifeboat.com\/blog\/wp-json\/wp\/v2\/tags?post=147554"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}