top of page

Packagist Hijacked by "Attacker" in Attempt to Land Job

On May 1, 2023, an attacker gained access to four inactive accounts on PHP software package repository Packagist. The attacker forked each of the packages and replaced the package description in composer.json with their own message but did not otherwise make any malicious changes. The package URLs were then changed to point to the forked repositories. The four user accounts are said to have had access to a total of 14 packages, including multiple Doctrine packages. This incident took place on May 1, 2023. The complete list of impacted packages is as follows - Security researcher Ax Sharma, writing for Bleeping Computer, revealed that the changes were made by an anonymous penetration tester with the pseudonym "neskafe3v1" in an attempt to land a job. The attack chain, in a nutshell, made it possible to modify the Packagist page for each of these packages to a namesake GitHub repository, effectively altering the installation workflow used within Composer environments. Successful exploitation meant that developers downloading the packages would get the forked version as opposed to the actual contents. Packagist said that no additional malicious changes were distributed, and that all the accounts were disabled and their packages restored on May 2, 2023. It's also urging users to enable two-factor authentication (2FA) to secure their accounts. This incident highlights the importance of security measures, such as two-factor authentication, to protect user accounts. It also underscores the need for companies to audit their systems regularly and have procedures in place to quickly detect and resolve security breaches.


bottom of page