Researcher under the pseudonym “Neskafe3v1” that he hacked 14 popular Packagist packages. As evidence, the specialist showed the Packagist pages for these packages, on which he changed GitHub repository for each package to his own. At the moment, the Packagist team has canceled all changes in the original view.
The hacking page of Packagist for the “Acmephp” packet
To publish packages on the Packagist, it is not necessary to download a binary file directly to Packagist.org. It is enough to create a Packagist.org account and indicate a link to your Github repository for a specific package. Then the Packagist scanner visits the provided repository and collects all the data to display on the Packagist page for this package.
When loading packages using Composer, the default tool searches for a specific package in Packagist removes the Github URL indicated on the Packagist page for this package. Then the contents of the package are loaded from the GitHub repository.
Having changed the Packagist page for each package, the researcher captured the installation workflow used in Composer environments. Now the developers will receive the contents of the package from the NESKAFE3V1 repository on GitHub, and not from the project repository.
To declare that the specialist is looking for work, he changed the “Composer.json” file in these packages as follows:
The researcher changed the “Composer.json” file to demonstrate hacking
The researcher did not reveal the exact method of hacking, but stated that he did not use 0Day vulnerability – hacking occurred with the help of a “famous technique.” As a result, the specialist gained access to the Packagist accounts of the accompanying and changed the URL GitHub URLS on the URL of his branched repositories.
touched packages
The Packagist command stated that there was still no malicious impact on the platform as a result hacking. The platform confirmed that the capture really occurred as a result of compromising the accounting data of the accompanying.
Packagist said that hacking was not used for any malicious purposes and was limited by several old accounts with unreliable passwords and the missing two-factor authentication. Probably, accounts used general passwords that leaked during incidents on other platforms.