Packagist Vulnerability could affect millones of open-source and paid PHP applications

Attacks on the supply chain are a current hot concern for software development companies. In the biggest software supply chain cyberattack in history last year, a backdoor infected 18,000 SolarWinds customers. Earlier this year, a security researcher used a novel supply chain hacking strategy to compromise PayPal, Apple, Microsoft, and other major IT companies.

All contemporary software is constructed on top of other third-party software components, sometimes without clear view of all the downloaded packages, which is the fundamental design abused by these assaults. Additionally, while employing a lot of the same components speeds up the development process, infecting the supply chain is a very powerful and covert attack vector that may simultaneously infiltrate many different firms. The Sonar R&D team discovered a new significant vulnerability in related components one year after their initial release on a major vulnerability in the PHP supply chain. It enabled taking over the server, disseminating details about the PHP software packages already in use, and ultimately jeopardizing every company that makes use of them.

The attack they present allows unauthorized scripts to be executed on the server hosting the official Packagist instance. This service is used by Composer to retrieve the metadata related to a certain package and its dependencies. At least 100 million of the 2 billion software dependencies that are downloaded using Composer from Packagist each month need collecting information from Packagist.

A compromise of these backend services would allows hackers to force users to run backdoored software dependencies the next time they do a fresh install or an update of a Composer package.

Since Composer is the typical PHP package manager, this would have affected the majority of open-source and paid PHP applications. If you are utilizing the default, authorized Packagist instance or Private Packagist, you are already secure. Upgrade at least to Composer 1.10.26, 2.2.12, or 2.3.5 if you use Composer as a library and work with untrusted repositories in order to take advantage of the security fixes for CVE-2022-24828.