Packagist, one of the most popular repositories for PHP libraries and packages, recently revealed that an attacker gained control of 14 PHP libraries, including several widely used ones, such as Instantiator, SQL-Formatter, doctrine-cache-bundle, and qrcode-detector-decoder. According to Packagist’s announcement, the attacker compromised four accounts that controlled the packages using easily guessed passwords and did not use two-factor authentication.
The attacker’s motive was not to cause harm but to demonstrate the risks of using repeated login credentials across multiple websites. After compromising the accounts, the attacker modified the files, including the composer.json file, by replacing original repository links with links to modified forks on Github. The attacker added a message to the project description that he was looking for a job in information security.
It is worth mentioning that the attacker did not follow the usual practice of ethical hacks by not notifying the developers and repository administrators of the experiment. Moreover, the attacker stated that he would release a detailed report on the methods used in the attack once he lands a job.
Packagist has urged its users to enable two-factor authentication and not to reuse passwords from other services. It is also recommended that library developers should verify the added repositories manually or use automated services. According to Packagist, the compromised packages were not maliciously modified, and there has been no evidence of malicious activities.
The compromised packages are:
– Acmephp/Acmephp (124,860 installations)
– Acmephp/Core (419,258)
– Acmephp/SSL (531,692)
– doctrine/doctrine-cache-bundle (73,490,057)
– doctrine/doctrine-module (5,516,721)
– doctrine/doctrine-mongo-ODM-MODULE (516,441)
– doctrine/doctrine-orm-module (5,103,306)
– doctrine/Instantiator (526,809,061)