PHP’s Supply Chain Under Siege: How Packagist Fights Back Against Account Takeovers and Stealthy Malware

Recent attacks compromised laravel-lang packages and eight others via stolen GitHub credentials and hidden malware in package.json. Packagist's transparency log, Aikido detection, and upcoming immutable versions in Composer 2.10 mark concrete progress against supply chain threats. Maintainers must enable MFA now.
PHP’s Supply Chain Under Siege: How Packagist Fights Back Against Account Takeovers and Stealthy Malware
Written by Maya Perez

Attacks keep coming. In the past weeks alone, attackers seized GitHub accounts and stolen tokens to push malicious tags on popular PHP packages. The incidents hit hard. Laravel-lang packages saw over 700 historical versions compromised on May 22 and 23, 2026, according to Snyk. Days earlier, intercom/intercom-php fell victim on April 30.

But the response from the maintainers of Composer and Packagist.org shows deliberate progress. Their latest blog post lays out concrete defenses already deployed, features rolling out this week, and longer-term plans that address the root problems of mutable releases and weak maintainer accounts. Packagist blog details it all.

One coordinated campaign in May infected eight packages. The malicious code hid in package.json files rather than composer.json. It targeted projects mixing JavaScript build tools with PHP. “Although the affected packages were all Composer packages, the malicious code was not added to composer.json,” Socket said. “Instead, it was inserted into package.json, targeting projects that ship JavaScript build tooling alongside PHP code.”

The payload downloaded a Linux binary from a GitHub Releases URL, saved it to /tmp/.sshd, made it executable, and ran it in the background. It disabled TLS verification and suppressed errors. “Even without the second-stage binary, the malicious installer is enough to warrant blocking,” Socket added. The eight packages included devdojo/wave, devdojo/genesis, and moritz-sauer-13/silverstripe-cms-theme among others. The Hacker News reported the details on May 23.

These aren’t isolated cases. Attackers exploit the open nature of public repositories. They compromise maintainer credentials. Then they rewrite git tags on existing releases. Users running composer update pull the new, tainted code without realizing the version number stayed the same.

Defenses Already in Place

Packagist integrated malware detection from Aikido in March 2026. Flagged versions now appear prominently on the site and in metadata Composer consumes. The system caught the recent malicious releases quickly.

Incident response happens fast. The small Packagist team pulls compromised packages or versions within minutes. Yet manual work can’t scale. The focus has shifted toward prevention.

A public transparency log records key events. Ownership changes. Maintainer additions and removals. Version reference updates. It proved invaluable in the latest attacks. “The transparency log accurately recorded each of these modifications, which let us identify exactly what had been manipulated and reconstruct precise timelines of each attack,” the Packagist team wrote.

Funded partly by the German Sovereign Tech Agency and organized through the PHP Foundation, the log brings auditability to a repository handling over 400,000 packages and 100 million daily installs. Anyone can review history for a package. See when tags changed. Spot sudden maintainer swaps. The log requires login today but offers a foundation for broader monitoring tools.

And the pressure on maintainers grows. If you maintain packages on Packagist.org and haven’t enabled multi-factor authentication, do it now. MFA status will soon appear in the transparency log and on public profiles. The change turns account security from private practice into visible package property. Downstream users gain information they currently lack.

New Protections Shipping Immediately

Composer 2.10 arrives this week. It introduces a unified dependency policy framework. The single system handles malware flags, vulnerability advisories, and abandoned packages. Future rules fit cleanly inside it.

One planned follow-up blocks releases younger than a set age. Such cooldown periods stop fresh malicious versions before detection catches up. The policy depends on immutable metadata first.

That immutability lands now. Stable tagged versions on Packagist.org can no longer be silently rewritten by upstream git tag changes. Packagist will reject re-tags on non-dev versions and notify maintainers by email. Dev branches tied to mutable references continue unchanged.

The decision enforces a practice long recommended. Never rewrite a released version. Fix problems with new releases instead. The consequences of mutation run deeper than many realize. Mirrors and SBOM tools copy metadata instantly. Lock files offer partial protection but break on updates. Account takeovers become far more dangerous when attackers can backdoor existing popular versions.

Composer itself adjusts behavior too. It aims to deliver the originally published artifact or fail clearly. No more silent swaps.

Additional admin tools are coming. Manual overrides for malware feeds. Delisting for older Composer clients. Package freezing during active repository compromises. These changes reduce friction during live incidents.

Private Packagist gains new organization-level controls. Details follow in coming days. The broader roadmap points toward mandatory MFA, FIDO2-backed staged releases for high-impact packages, and eventual hosting of immutable build artifacts with SLSA provenance and Sigstore attestations verified client-side.

The team participates in the OpenSSF Securing Software Repositories Working Group. Their goals align with Level 3 authorization principles and advancing dependency track standards.

PHP developers face real exposure. Many projects still run outdated Composer versions. They skip lock file reviews. They allow source fallbacks that Composer 2.10 will deprecate. The recent Perforce driver command injection flaws fixed in April, tracked as CVE-2026-40261 and CVE-2026-40176, reminded everyone that even the dependency manager itself carries risks. Packagist announced those patches in mid-April.

Yet the ecosystem shows signs of hardening. Transparency creates accountability. Immutability removes a favorite attacker technique. Policies give operators granular control. Detection feeds surface threats early.

Still, no single change solves everything. Attackers adapt. They target popular packages with many transitive dependents. They use cross-language tricks like the package.json hooks. They hunt for abandoned but still-downloaded libraries.

Organizations should audit dependencies now. Review composer.lock files for unexpected commits. Enable MFA everywhere. Consider private repositories for critical internal packages. Monitor the transparency log for packages they rely on. And update Composer immediately to 2.10 or the latest 2.2 LTS.

The Packagist team has spent close to a year focused on these issues. Their pace is measured. Each step builds on the last. The transparency log already delivered value in active incidents. Version immutability closes a longstanding gap. Dependency policies create a flexible foundation for future defenses.

PHP powers a huge slice of the web. Its package supply chain must match that importance. The recent attacks exposed weaknesses. The responses underway demonstrate serious commitment to closing them. Progress continues. But vigilance from every maintainer and user remains essential. Check your dependencies today. The next compromise may already be in progress.

Subscribe for Updates

CybersecurityUpdate Newsletter

The CybersecurityUpdate Email Newsletter is your essential source for the latest in cybersecurity news, threat intelligence, and risk management strategies. Perfect for IT security professionals and business leaders focused on protecting their organizations.

By signing up for our newsletter you agree to receive content related to ientry.com / webpronews.com and our affiliate partners. For additional information refer to our terms of service.

Notice an error?

Help us improve our content by reporting any issues you find.

Get the WebProNews newsletter delivered to your inbox

Get the free daily newsletter read by decision makers

Subscribe
Advertise with Us

Ready to get started?

Get our media kit

Advertise with Us