Packagist Repository Hacked: Over a Dozen PHP Packages with 500 Million Installs Compromised
PHP software package repository Packagist revealed that an “attacker” gained access to four inactive accounts on the platform to hijack over a dozen packages with over 500 million installs to date.
“The attacker forked each of the packages and replaced the package description in composer.json with their own message but did not otherwise make any malicious changes,” Packagist’s Nils Adermann said. “The package URLs were then changed to point to the forked repositories.”
The four user accounts are said to have had access to a total of 14 packages, including multiple Doctrine packages. The incident took place on May 1, 2023. The complete list of impacted packages is as follows –
- acmephp/acmephp
- acmephp/core
- acmephp/ssl
- doctrine/doctrine-cache-bundle
- doctrine/doctrine-module
- doctrine/doctrine-mongo-odm-module
- doctrine/doctrine-orm-module
- doctrine/instantiator
- growthbook/growthbook
- jdorn/file-system-cache
- jdorn/sql-formatter
- khanamiryan/qrcode-detector-decoder
- object-calisthenics/phpcs-calisthenics-rules
- tga/simhash-php
Security researcher Ax Sharma, writing for Bleeping Computer, revealed that the changes were made by an anonymous penetration tester with the pseudonym “neskafe3v1” in an attempt to land a job.
The attack chain, in a nutshell, made it possible to modify the Packagist page for each of these packages to a namesake GitHub repository, effectively altering the installation workflow used within Composer environments.
Successful exploitation meant that developers downloading the packages would get the forked version as opposed to the actual contents.
Packagist said that no additional malicious changes were distributed, and that all the accounts were disabled and their packages restored on May 2, 2023. It’s also urging users to enable two-factor authentication (2FA) to secure their accounts.
“All four accounts appear to have been using shared passwords leaked in previous incidents on other platforms,” Adermann noted. “Please, do not reuse passwords.”
The development comes as cloud security firm Aqua identified thousands of exposed cloud software registries and repositories containing more than 250 million artifacts and over 65,000 container images.
The misconfigurations stem from mistakenly connecting registries to the internet, allowing anonymous access by design, using default passwords, and granting upload privileges to users that could be abused to poison the registry with malicious code.
“In some of these cases, anonymous user access allowed a potential attacker to gain sensitive information, such as secrets, keys, and passwords, which could lead to a severe software supply chain attack and poisoning of the software development life cycle (SDLC),” researchers Mor Weinberger and Assaf Morag disclosed late last month.