home.social

#packagist — Public Fediverse posts

Live and recent posts from across the Fediverse tagged #packagist, aggregated by home.social.

  1. 📰 Packagist Supply Chain Attack Uses Clever Evasion to Infect PHP Projects with Linux Malware

    🚨 PHP supply chain attack hits Packagist! 8+ packages compromised to drop Linux malware. Attackers hid malicious code in `package.json` to evade PHP security scanners. #SupplyChainAttack #PHP #Packagist #CyberSecurity

    🌐 cyber[.]netsecops[.]io

    🔗 cyber.netsecops.io/articles/co

  2. 📰 Packagist Supply Chain Attack Uses Clever Evasion to Infect PHP Projects with Linux Malware

    🚨 PHP supply chain attack hits Packagist! 8+ packages compromised to drop Linux malware. Attackers hid malicious code in `package.json` to evade PHP security scanners. #SupplyChainAttack #PHP #Packagist #CyberSecurity

    🌐 cyber[.]netsecops[.]io

    🔗 cyber.netsecops.io/articles/co

  3. 📰 Packagist Supply Chain Attack Uses Clever Evasion to Infect PHP Projects with Linux Malware

    🚨 PHP supply chain attack hits Packagist! 8+ packages compromised to drop Linux malware. Attackers hid malicious code in `package.json` to evade PHP security scanners. #SupplyChainAttack #PHP #Packagist #CyberSecurity

    🌐 cyber[.]netsecops[.]io

    🔗 cyber.netsecops.io/articles/co

  4. 📰 Packagist Supply Chain Attack Uses Clever Evasion to Infect PHP Projects with Linux Malware

    🚨 PHP supply chain attack hits Packagist! 8+ packages compromised to drop Linux malware. Attackers hid malicious code in `package.json` to evade PHP security scanners. #SupplyChainAttack #PHP #Packagist #CyberSecurity

    🌐 cyber[.]netsecops[.]io

    🔗 cyber.netsecops.io/articles/co

  5. 📰 Packagist Supply Chain Attack Uses Clever Evasion to Infect PHP Projects with Linux Malware

    🚨 PHP supply chain attack hits Packagist! 8+ packages compromised to drop Linux malware. Attackers hid malicious code in `package.json` to evade PHP security scanners. #SupplyChainAttack #PHP #Packagist #CyberSecurity

    🌐 cyber[.]netsecops[.]io

    🔗 cyber.netsecops.io/articles/co

  6. GitHub-Hosted Malware Targets PHP Packages in Coordinated Supply Chain Attack

    Malicious code was injected into eight PHP packages on Packagist, triggering a Linux binary download from GitHub Releases via JavaScript lifecycle hooks in package.json postinstall scripts. The attack was swiftly contained, with the malicious versions removed from Packagist.

    osintsights.com/github-hosted-

    #SupplyChainAttack #Github #Php #Packagist #Javascript

  7. ▪ Also patched in legacy Composer 1.10.28 (upgrade to 2.x still recommended)

    🚑 Immediate actions:
    1️⃣ Run composer.phar self-update NOW
    2️⃣ Can't update? Disable #GitHubActions workflows running Composer
    3️⃣ Review CI logs for leaked tokens
    4️⃣ Delete any log contents containing raw token values before they expire

    📦 #Packagist.org is unaffected — no GitHub App involved. #PrivatePackagist applied the fix and audited logs: no tokens were exposed. Self-hosted PP is also unaffected.

  8. ▪ Also patched in legacy Composer 1.10.28 (upgrade to 2.x still recommended)

    🚑 Immediate actions:
    1️⃣ Run composer.phar self-update NOW
    2️⃣ Can't update? Disable #GitHubActions workflows running Composer
    3️⃣ Review CI logs for leaked tokens
    4️⃣ Delete any log contents containing raw token values before they expire

    📦 #Packagist.org is unaffected — no GitHub App involved. #PrivatePackagist applied the fix and audited logs: no tokens were exposed. Self-hosted PP is also unaffected.

  9. ▪ Also patched in legacy Composer 1.10.28 (upgrade to 2.x still recommended)

    🚑 Immediate actions:
    1️⃣ Run composer.phar self-update NOW
    2️⃣ Can't update? Disable #GitHubActions workflows running Composer
    3️⃣ Review CI logs for leaked tokens
    4️⃣ Delete any log contents containing raw token values before they expire

    📦 #Packagist.org is unaffected — no GitHub App involved. #PrivatePackagist applied the fix and audited logs: no tokens were exposed. Self-hosted PP is also unaffected.

  10. ▪ Also patched in legacy Composer 1.10.28 (upgrade to 2.x still recommended)

    🚑 Immediate actions:
    1️⃣ Run composer.phar self-update NOW
    2️⃣ Can't update? Disable #GitHubActions workflows running Composer
    3️⃣ Review CI logs for leaked tokens
    4️⃣ Delete any log contents containing raw token values before they expire

    📦 #Packagist.org is unaffected — no GitHub App involved. #PrivatePackagist applied the fix and audited logs: no tokens were exposed. Self-hosted PP is also unaffected.

  11. ▪ Also patched in legacy Composer 1.10.28 (upgrade to 2.x still recommended)

    🚑 Immediate actions:
    1️⃣ Run composer.phar self-update NOW
    2️⃣ Can't update? Disable #GitHubActions workflows running Composer
    3️⃣ Review CI logs for leaked tokens
    4️⃣ Delete any log contents containing raw token values before they expire

    📦 #Packagist.org is unaffected — no GitHub App involved. #PrivatePackagist applied the fix and audited logs: no tokens were exposed. Self-hosted PP is also unaffected.

  12. ⚠️ Fake #Laravel packages on #Packagist deploy a cross-platform #RAT on Windows, macOS & Linux — researchers at Socket flagged 3 malicious #PHP packages disguised as Laravel utilities #cybersecurity #supplychain #opensource #infosec

    📦 Malicious packages identified:
    • nhattuanbl/lara-helper (37 downloads)
    • nhattuanbl/simple-queue (29 downloads)
    • nhattuanbl/lara-swagger (49 downloads)

    🧵 👇

  13. ⚠️ Fake #Laravel packages on #Packagist deploy a cross-platform #RAT on Windows, macOS & Linux — researchers at Socket flagged 3 malicious #PHP packages disguised as Laravel utilities #cybersecurity #supplychain #opensource #infosec

    📦 Malicious packages identified:
    • nhattuanbl/lara-helper (37 downloads)
    • nhattuanbl/simple-queue (29 downloads)
    • nhattuanbl/lara-swagger (49 downloads)

    🧵 👇

  14. ⚠️ Fake #Laravel packages on #Packagist deploy a cross-platform #RAT on Windows, macOS & Linux — researchers at Socket flagged 3 malicious #PHP packages disguised as Laravel utilities #cybersecurity #supplychain #opensource #infosec

    📦 Malicious packages identified:
    • nhattuanbl/lara-helper (37 downloads)
    • nhattuanbl/simple-queue (29 downloads)
    • nhattuanbl/lara-swagger (49 downloads)

    🧵 👇

  15. ⚠️ Fake #Laravel packages on #Packagist deploy a cross-platform #RAT on Windows, macOS & Linux — researchers at Socket flagged 3 malicious #PHP packages disguised as Laravel utilities #cybersecurity #supplychain #opensource #infosec

    📦 Malicious packages identified:
    • nhattuanbl/lara-helper (37 downloads)
    • nhattuanbl/simple-queue (29 downloads)
    • nhattuanbl/lara-swagger (49 downloads)

    🧵 👇

  16. ⚠️ Fake #Laravel packages on #Packagist deploy a cross-platform #RAT on Windows, macOS & Linux — researchers at Socket flagged 3 malicious #PHP packages disguised as Laravel utilities #cybersecurity #supplychain #opensource #infosec

    📦 Malicious packages identified:
    • nhattuanbl/lara-helper (37 downloads)
    • nhattuanbl/simple-queue (29 downloads)
    • nhattuanbl/lara-swagger (49 downloads)

    🧵 👇

  17. I finally solved my Composer hanging/stuck issue 🚀
    Set up a local proxy server and routed downloads using PHP stream functions.

    Added real-time debugging with log files to trace where it was freezing.

    Result: smooth installs, zero guesswork 😌

    #PHP #composer #packagist #proxy

  18. I finally solved my Composer hanging/stuck issue 🚀
    Set up a local proxy server and routed downloads using PHP stream functions.

    Added real-time debugging with log files to trace where it was freezing.

    Result: smooth installs, zero guesswork 😌

    #PHP #composer #packagist #proxy

  19. I finally solved my Composer hanging/stuck issue 🚀
    Set up a local proxy server and routed downloads using PHP stream functions.

    Added real-time debugging with log files to trace where it was freezing.

    Result: smooth installs, zero guesswork 😌

    #PHP #composer #packagist #proxy

  20. I finally solved my Composer hanging/stuck issue 🚀
    Set up a local proxy server and routed downloads using PHP stream functions.

    Added real-time debugging with log files to trace where it was freezing.

    Result: smooth installs, zero guesswork 😌

    #PHP #composer #packagist #proxy

  21. I finally solved my Composer hanging/stuck issue 🚀
    Set up a local proxy server and routed downloads using PHP stream functions.

    Added real-time debugging with log files to trace where it was freezing.

    Result: smooth installs, zero guesswork 😌

    #PHP #composer #packagist #proxy

  22. The other night I made this little #PHP tool that validates #PHPDoc annotations against the actual method signature, to make sure that they are compatible and don't drift apart over time.

    I use it as a quick check before running #PHPStan to make sure that the static analysis is correctly informed. Published it on #Packagist in case anyone else would find it useful too: packagist.org/packages/nsrosen

  23. The other night I made this little #PHP tool that validates #PHPDoc annotations against the actual method signature, to make sure that they are compatible and don't drift apart over time.

    I use it as a quick check before running #PHPStan to make sure that the static analysis is correctly informed. Published it on #Packagist in case anyone else would find it useful too: packagist.org/packages/nsrosen

  24. The other night I made this little #PHP tool that validates #PHPDoc annotations against the actual method signature, to make sure that they are compatible and don't drift apart over time.

    I use it as a quick check before running #PHPStan to make sure that the static analysis is correctly informed. Published it on #Packagist in case anyone else would find it useful too: packagist.org/packages/nsrosen

  25. The other night I made this little #PHP tool that validates #PHPDoc annotations against the actual method signature, to make sure that they are compatible and don't drift apart over time.

    I use it as a quick check before running #PHPStan to make sure that the static analysis is correctly informed. Published it on #Packagist in case anyone else would find it useful too: packagist.org/packages/nsrosen

  26. The other night I made this little #PHP tool that validates #PHPDoc annotations against the actual method signature, to make sure that they are compatible and don't drift apart over time.

    I use it as a quick check before running #PHPStan to make sure that the static analysis is correctly informed. Published it on #Packagist in case anyone else would find it useful too: packagist.org/packages/nsrosen

  27. RE: infosec.exchange/@art4/1157471

    Just in time for the end of 2025 (at least in my time zone), I released version 1.0.0 of my new #RectorExtension that replaces the native type declaration set. The special thing about it: no breaking changes!

    This means: no changes to parameter types or return types if your class/method is not private or final. This is particularly important for library maintainers who want to use #Rector but don't want to have any breaking changes.

    If you are a maintainer of a #PHP library and #backwardcompatibility is important to you, then check it out on #packagist:

    packagist.org/packages/art4/re

    Happy new year! 🥳

  28. RE: infosec.exchange/@art4/1157471

    Just in time for the end of 2025 (at least in my time zone), I released version 1.0.0 of my new #RectorExtension that replaces the native type declaration set. The special thing about it: no breaking changes!

    This means: no changes to parameter types or return types if your class/method is not private or final. This is particularly important for library maintainers who want to use #Rector but don't want to have any breaking changes.

    If you are a maintainer of a #PHP library and #backwardcompatibility is important to you, then check it out on #packagist:

    packagist.org/packages/art4/re

    Happy new year! 🥳

  29. RE: infosec.exchange/@art4/1157471

    Just in time for the end of 2025 (at least in my time zone), I released version 1.0.0 of my new #RectorExtension that replaces the native type declaration set. The special thing about it: no breaking changes!

    This means: no changes to parameter types or return types if your class/method is not private or final. This is particularly important for library maintainers who want to use #Rector but don't want to have any breaking changes.

    If you are a maintainer of a #PHP library and #backwardcompatibility is important to you, then check it out on #packagist:

    packagist.org/packages/art4/re

    Happy new year! 🥳

  30. RE: infosec.exchange/@art4/1157471

    Just in time for the end of 2025 (at least in my time zone), I released version 1.0.0 of my new #RectorExtension that replaces the native type declaration set. The special thing about it: no breaking changes!

    This means: no changes to parameter types or return types if your class/method is not private or final. This is particularly important for library maintainers who want to use #Rector but don't want to have any breaking changes.

    If you are a maintainer of a #PHP library and #backwardcompatibility is important to you, then check it out on #packagist:

    packagist.org/packages/art4/re

    Happy new year! 🥳

  31. RE: infosec.exchange/@art4/1157471

    Just in time for the end of 2025 (at least in my time zone), I released version 1.0.0 of my new #RectorExtension that replaces the native type declaration set. The special thing about it: no breaking changes!

    This means: no changes to parameter types or return types if your class/method is not private or final. This is particularly important for library maintainers who want to use #Rector but don't want to have any breaking changes.

    If you are a maintainer of a #PHP library and #backwardcompatibility is important to you, then check it out on #packagist:

    packagist.org/packages/art4/re

    Happy new year! 🥳

  32. I'm currently working on a #RectorExtension that replaces the native type declaration set. The special thing about it: no breaking changes!

    This means: no changes to parameter types or return types if your class/method is not private or final. This is particularly important for library maintainers who want to use #Rector but don't want to have any breaking changes.

    If you are a maintainer of a #PHP library and #backwardcompatibility is important to you, then check it out on #packagist: packagist.org/packages/art4/re

    And feel free to give me feedback.