RE: https://mastodon.social/@seldaek/116651920344034250
I am very excited about this update!
The #PHP ecosystem cannot thank @seldaek, @naderman, and everyone at #Packagist and everybody contributing to #Composer enough for the amazing work they are doing.
The last months, and even more so the last weeks, saw an increasing amount of software supply chain attacks targeting open-source ecosystems. A handful of these have hit the PHP ecosystem too, via taken-over GitHub accounts and stolen access tokens that let attackers publish new tags on packages they had
📰 Packagist Supply Chain Attack Uses Clever Evasion to Infect PHP Projects with Linux Malware
🚨 PHP supply chain attack hits Packagist! 8+ packages compromised to drop Linux malware. Attackers hid malicious code in `package.json` to evade PHP security scanners. #SupplyChainAttack #PHP #Packagist #CyberSecurity
🌐 cyber[.]netsecops[.]io
GitHub-Hosted Malware Targets PHP Packages in Coordinated Supply Chain Attack
Malicious code was injected into eight PHP packages on Packagist, triggering a Linux binary download from GitHub Releases via JavaScript lifecycle hooks in package.json postinstall scripts. The attack was swiftly contained, with the malicious versions removed from Packagist.
🚨 A compromise affecting the community-maintained Laravel Lang project introduced remote code execution backdoors across multiple packages, including:
- Laravel-Lang/lang
- Laravel-Lang/http-statuses
- Laravel-Lang/actions
- Laravel-Lang/attributes
All tags were rewritten pointing to malicious commits
https://github.com/Laravel-Lang/lang/issues/8295
https://github.com/Laravel-Lang/common/issues/257
https://www.stepsecurity.io/blog/laravel-lang-supply-chain-attack
https://socket.dev/blog/laravel-lang-compromise
#PHP #Laravel #SupplyChainAttack #RemoteCodeExecution #RCE #Packagist
> 120 malicious packages have been pulled from RubyGems
https://thehackernews.com/2026/05/rubygems-suspends-new-signups-after.html
For those counting: #npm, #PyPI, #RubyGems, #cargo #NuGet, #packagist and #Maven so far…
▪ Also patched in legacy Composer 1.10.28 (upgrade to 2.x still recommended)
🚑 Immediate actions:
1️⃣ Run composer.phar self-update NOW
2️⃣ Can't update? Disable #GitHubActions workflows running Composer
3️⃣ Review CI logs for leaked tokens
4️⃣ Delete any log contents containing raw token values before they expire
📦 #Packagist.org is unaffected — no GitHub App involved. #PrivatePackagist applied the fix and audited logs: no tokens were exposed. Self-hosted PP is also unaffected.
🚨 Critical Composer Update: 2.9.8 & 2.2.28 fix a GitHub Actions token disclosure!
⚠️ Update NOW or disable GitHub Actions immediately!
#PHP #Composer #ComposerPHP #OpenSource #WebDevelopment #GitHubActions #DevSecOps #CyberSecurity #SoftwareUpdate #PatchRelease #DependencyManagement #SecurityFix #Programming #Packagist #PHPDev #ComposerUpdate #OpenSourceSoftware #WebDevLife #InfoSec #SecurityPatch #CodeSmart #DependencyManagement #SoftwareSecurity #TechUpdate
Please immediately update Composer to version 2.9.8 or 2.2.28 (LTS) by running composer.phar self-update. The new releases fix a vulnerability where Composer leaks the full contents of GitHub Actions issued GITHUB_TOKENs or GitHub App installation tokens to the GitHub Actions logs. GitHub introduced a
Version 8.0.0 of #bm_image_gallery is released. Available at #ter and #packagist.
Have fun with v14 support. Happy updating! #TYPO3 #gallery #extension
Sebastian Bergmann 
freekmurze
CyberNetsecIO
Analyst207
github.com/ghostwriter
michabbb
Jens Neumann
The Threat Codex