On May 1, an attacker took over four user accounts on the PHP registry Packagist.org. In doing so, he gained control of a total of 14 packages and changed the associated description and the link to the respective GitHub repositories.
The operators of the platform for PHP packages created with the Composer package manager found out about the incident a day later. They restored the original content and blocked edit access to the affected packages. According to the Packagist blog, the forked repositories do not contain any malicious code. Unlike the JavaScript and Python counterparts npm and PyPI, the registry does not directly provide the code of the packages, but Composer fetches it from the GitHub repository specified for the package.
Passwords that are used more than once
The Packagist operators assume that the attacker obtained the passwords through leaks from other platforms. The respective maintainers have probably also used the access data for Packagist.org for other sites. None of them had two-factor authentication (2FA) enabled.
Apparently the hijacked accounts had been inactive for a while, but the fourteen packages affected were quite widespread: they have between 30,000 and over 500 million installations (doctrine/instantiator).
Apparently, the attacker only changed the description in the composer.json file. What is interesting is the text that is in the adapted file, which only brings a new “description”:
Pwned by neskafe3v1…. Looking for a job as Application Security, Penetration Tester, Cyber Security Specialist.
Job search by attack
The attacker then contacted the operators of the security news portal Bleeping Computer and gave them details of the hijacked accounts and packages. His motivation was that he was a security researcher looking for a job. In the “description” he wrote in Russian that he was looking for a job, which he then described in English.
The original contents of the packages have now been restored, but the attacker took screenshots after the attack.
(Bild: Bleeping Computer)
He did not want to comment on the exact details of the attack to Bleeping Computer. Until his job search is successful, there is nothing to tell. However, if he actually only used passwords from a leak that were used more than once, as the Packagist.org operators write, the attack as an application document is rather poor.
The operators of Packagist.org have not only blocked editing of the affected packages, but initially blocked editing of all packages that have more than 50,000 installations. If you want to make changes to one of the affected packages, you should email the person responsible for the registry.
In addition, the operators are planning further security measures such as public display and an expansion of the content of the audit log, which, among other things, keeps a record of the changes in the package. Package maintainers also encourage them to enable 2FA.
More details and a list of affected packages can be found on the Packagist blog.
(rme)
