Packagist | Breaking Cybersecurity News | The Hacker News

PHP software package repository Packagist revealed that an "attacker" gained access to four inactive accounts on the platform to hijack over a dozen packages with over 500 million installs to date. "The attacker forked each of the packages and replaced the package description in  composer.json  with their own message but did not otherwise make any malicious changes," Packagist's Nils Adermann  said . "The package URLs were then changed to point to the forked repositories." The four user accounts are said to have had access to a total of 14 packages, including multiple Doctrine packages. The incident took place on May 1, 2023. The complete list of impacted packages is as follows - acmephp/acmephp acmephp/core acmephp/ssl doctrine/doctrine-cache-bundle doctrine/doctrine-module doctrine/doctrine-mongo-odm-module doctrine/doctrine-orm-module doctrine/instantiator growthbook/growthbook jdorn/file-system-cache jdorn/sql-formatter khanamiryan/

Researchers have disclosed details about a now-patched high-severity security flaw in Packagist, a PHP software package repository, that could have been exploited to mount software supply chain attacks. "This vulnerability allows gaining control of  Packagist ," SonarSource researcher Thomas Chauchefoin  said  in a report shared with The Hacker News. Packagist is used by the PHP package manager Composer to determine and download software dependencies that are included by developers in their projects. The disclosure comes as planting malware in open source repositories is turning into an attractive conduit for performing  software supply chain attacks . Tracked as  CVE-2022-24828  (CVSS score: 8.8), the  issue  has been described as a case of command injection and is linked to another similar Composer bug ( CVE-2021-29472 ) that came to light in April 2021, suggesting an inadequate patch. "An attacker controlling a Git or Mercurial repository explicitly listed by UR

Identities now transcend human boundaries. Within each line of code and every API call lies a non-human identity. These entities act as programmatic access keys, enabling authentication and facilitating interactions among systems and services, which are essential for every API call, database query, or storage account access. As we depend on multi-factor authentication and passwords to safeguard human identities, a pressing question arises: How do we guarantee the security and integrity of these non-human counterparts? How do we authenticate, authorize, and regulate access for entities devoid of life but crucial for the functioning of critical systems? Let's break it down. The challenge Imagine a cloud-native application as a bustling metropolis of tiny neighborhoods known as microservices, all neatly packed into containers. These microservices function akin to diligent worker bees, each diligently performing its designated task, be it processing data, verifying credentials, or