Over a Dozen PHP Packages with 500M Compromise
The Packagist PHP software package repository revealed that an “attacker” gained access to four inactive accounts on the platform to hijack more than a dozen packages with over 500 million installs to date.
“The attacker forks individual packages and replaces the package description in composer.json with their own message but otherwise makes no malicious changes,” Nils Adermann of Packagist said. “The package URL was then changed to point to the forked repository.”
The four user accounts are said to have access to a total of 14 packages, including some of the Doctrine packages. The event occurred on May 1, 2023. The full list of affected packages is as follows –
- acmephp/acmephp
- acmephp/core
- acmephp/ssl
- doctrinal-cache bundle
- doctrine/doctrine-module
- doctrine/doctrine-mongo-odm-module
- doctrine/doctrine-orm-module
- doctrine / agency
- growth book / growth book
- jdorn/file-system-cache
- jdorn/sql-formatter
- khanamiryan/qrcode-detector-decoder
- object-calisthenics/phpcs-calisthenics-rules
- tga/simhash-php
Security researcher Ax Sharma, writing for Bleeping Computer, revealed that the change was made by an anonymous penetration tester under the pseudonym “neskafe3v1” in an attempt to get a job.
The attack chain, in short, makes it possible to modify the Packagist page for each of these packages to its namesake GitHub repository, effectively changing the installation workflow used within the Composer environment.
A successful exploit means that a developer who downloads a package will end up with a forked version that conflicts with the actual content.
Packagist says that no additional malicious changes were distributed, and all accounts have been deactivated and packages restored by May 2, 2023. It also urges users to enable two-factor authentication (2FA) to secure their accounts.
“The four accounts appear to be using a shared password that was leaked in a previous incident on another platform,” said Adermann. “Please do not reuse passwords.”
This development comes as cloud security firm Aqua identified thousands of open cloud software registries and repositories containing more than 250 million artifacts and more than 65,000 container images.
Configuration errors stem from incorrectly connecting the registrar to the internet, enabling anonymous access by design, using default passwords, and granting users upload rights which can be abused to poison the registry with malicious code.
“In some of these cases, anonymous user access allowed potential attackers to obtain sensitive information, such as secrets, keys, and passwords, which could lead to severe software supply chain attacks and software development life cycle poisoning (SDLC),” Mor researcher Weinberger and Assaf Morag disclosed late last month.
