"Critical Packagist Vulnerability Opened Door for PHP Supply Chain Attack"

Security researchers at SonarSource have recently discovered a severe vulnerability impacting Packagist, which could have been abused to mount supply chain attacks targeting the PHP community.  Packagist is the default repository for PHP dependency manager Composer, aggregating public PHP packages that can be installed using Composer.  The researchers noted that each month, Composer is used to download more than 2 billion packages.  The recently identified vulnerability could have been used to hijack over 100 million requests to distribute malicious dependencies, leading to the potential compromise of millions of servers.  The researchers noted that since Composer is the standard package manager for PHP, most open-source and commercial PHP projects would have been impacted.  The vulnerability is tracked as  CVE-2022-24828 and is described as a command injection issue that could allow an attacker to control input that is interpreted as parameters for commands executed by Composer.  According to the researchers, an attacker looking to exploit the vulnerability would need to create a project in a remote Mercurial repository, add a manifest to composer.json and create a malicious ‘readme’ entry, create a .sh payload to perform a desired action, and then import the package to Packagist.  The attacker would then need to modify the definition of a package to point to an unintended destination and compromise the application in which they are used.  The researchers stated that the vulnerability was reported to the Packagist maintainers on April 7, and a hotpatch was released the next day.  The issue was addressed with the release of Composer versions 2.3.5, 2.2.12, and 1.10.26, and no evidence of in-the-wild exploitation was found.

SecurityWeek reports: "Critical Packagist Vulnerability Opened Door for PHP Supply Chain Attack"