> 120 malicious packages have been pulled from RubyGems

https://thehackernews.com/2026/05/rubygems-suspends-new-signups-after.html

For those counting: #npm, #PyPI, #RubyGems, #cargo #NuGet, #packagist and #Maven so far…

🚨 Critical Composer Update: 2.9.8 & 2.2.28 fix a GitHub Actions token disclosure!

⚠️ Update NOW or disable GitHub Actions immediately!

https://blog.packagist.com/composer-2-9-8-and-2-2-28-fix-github-actions-token-disclosure-in-error-messages/

#PHP #Composer #ComposerPHP #OpenSource #WebDevelopment #GitHubActions #DevSecOps #CyberSecurity #SoftwareUpdate #PatchRelease #DependencyManagement #SecurityFix #Programming #Packagist #PHPDev #ComposerUpdate #OpenSourceSoftware #WebDevLife #InfoSec #SecurityPatch #CodeSmart #DependencyManagement #SoftwareSecurity #TechUpdate

Version 8.0.0 of #bm_image_gallery is released. Available at #ter and #packagist.

Have fun with v14 support. Happy updating! #TYPO3 #gallery #extension

⚠️ Fake #Laravel packages on #Packagist deploy a cross-platform #RAT on Windows, macOS & Linux — researchers at Socket flagged 3 malicious #PHP packages disguised as Laravel utilities #cybersecurity #supplychain #opensource #infosec

📦 Malicious packages identified:
• nhattuanbl/lara-helper (37 downloads)
• nhattuanbl/simple-queue (29 downloads)
• nhattuanbl/lara-swagger (49 downloads)

🧵 👇

I finally solved my Composer hanging/stuck issue 🚀
Set up a local proxy server and routed downloads using PHP stream functions.

Added real-time debugging with log files to trace where it was freezing.

Result: smooth installs, zero guesswork 😌

#PHP #composer #packagist #proxy

The other night I made this little #PHP tool that validates #PHPDoc annotations against the actual method signature, to make sure that they are compatible and don't drift apart over time.

I use it as a quick check before running #PHPStan to make sure that the static analysis is correctly informed. Published it on #Packagist in case anyone else would find it useful too: https://packagist.org/packages/nsrosenqvist/phpdoc-validator

Note for our PHP users: We've upgraded Composer to the latest version, but we've disabled the vulnerability check for now. This is probably an edge case of an edge case, as we do actively track PHP package vulns, but keeping the check in there would lead to a heap of pain for us.

Of course, let us know if you see a package updated to a known vulnerable version, that should definitely not happen.

#PHP #Composer #Packagist

RE: https://infosec.exchange/@art4/115747129017446982

Just in time for the end of 2025 (at least in my time zone), I released version 1.0.0 of my new #RectorExtension that replaces the native type declaration set. The special thing about it: no breaking changes!

This means: no changes to parameter types or return types if your class/method is not private or final. This is particularly important for library maintainers who want to use #Rector but don't want to have any breaking changes.

If you are a maintainer of a #PHP library and #backwardcompatibility is important to you, then check it out on #packagist:

https://packagist.org/packages/art4/rector-bc-library

Happy new year! 🥳