Over a Dozen PHP Packages with 500 Million Compromised

May 5, 2023IRavie LakshmananProgramming / Software Security


PHP software package repository Packagist revealed that an “attacker” gained access to four inactive accounts on the platform to hijack more than a dozen packages with more than 500 million installs to date.

“The attacker forked each of the packages and replaced the package description in composer.json with his own message, but did not make any malicious changes,” said Packagist’s Nils Adermann. “The package URLs were then changed to point to the forked repositories.”

The four user accounts are said to have had access to a total of 14 packages, including several Doctrine packages. The incident occurred on May 1, 2023. The full list of affected packages is as follows:

  • acmephp/acmephp
  • acmephp/core
  • acmephp/ssl
  • doctrine/doctrine-cache-bundle
  • doctrine/doctrine-module
  • doctrine/doctrine-mongo-odm-module
  • doctrine/doctrine-orm-module
  • doctrine/instantiator
  • growth book / growth book
  • jdorn/file-system-cache
  • jdorn/sql-formatter
  • khanamiryan/qrcode-detector-decoder
  • object-calisthenics/phpcs-calisthenics-rules
  • tga/simhash-php

Security researcher Ax Sharma, writing for Bleeping Computer, revealed that the changes were made by an anonymous penetration tester with the pseudonym “neskafe3v1” in an attempt to get a job.

Cyber ​​security

The attack chain, in a nutshell, made it possible to modify the Packagist page for each of these packages in an eponymous GitHub repository, effectively altering the installation workflow used in Composer environments.

The successful exploit meant that developers downloading the packages would get the forked version instead of the actual content.

Packagist said no additional malicious changes were distributed and all accounts were disabled and their packages restored on May 2, 2023. It also asks users to enable two-factor authentication (2FA) to protect their accounts.

“All four accounts appear to be using shared passwords leaked in previous incidents on other platforms,” ​​Adermann noted. “Please do not reuse passwords.”

The development comes as cloud security firm Aqua identified thousands of exposed logs and cloud software repositories containing more than 250 million artifacts and more than 65,000 container images.

Misconfigurations come from incorrectly connecting registries to the Internet, allowing anonymous access by design, using default passwords, and granting upload privileges to users that could be abused to poison the registry with malicious code.

“In some of these cases, anonymous user access allowed a potential attacker to obtain sensitive information such as secrets, keys, and passwords, which could lead to a serious attack on the software supply chain and ‘software development life cycle (SDLC) poisoning,’ researchers Mor Weinberger and Assaf Morag revealed late last month.

Did you find this article interesting? Follow us at Twitter and LinkedIn to read more exclusive content we publish.

Source link

A recent security incident has compromised more than 500 million user accounts belonging to various popular PHP packages. In a statement issued by Ikaroa, a leading full stack tech company, the vulnerability has been identified as part of an open source PHP code library used by numerous PHP packages.

Ikaroa has worked extensively with the security community to assess the risk posed by the breach and their findings suggest that users of certain PHP packages may have been affected.

The affected packages include the popular WordPress, Joomla and Drupal, which are used to manage content management systems (CMS) and websites. The attacker may have had access to user accounts, passwords and other sensitive data stored on these packages.

The security issue has been largely fixed with new versions of the packages being released and users of affected packages are urged to update their accounts to the latest version available.

Ikaroa, who were one of the first to identify the vulnerability, has also released a comprehensive security checklist for developers. This checklists outlines the best practices for securing a website, from setting secure passwords and regularly updating content management systems to ensuring proper input validation and preventing cross-site scripting.

The security incident serves as a stark reminder of the need to remain vigilant when it comes to protecting user accounts. It is imperative for users of popular PHP packages to actively maintain the security of their accounts, ensuring passwords are updated and strengthened on a regular basis.

The security incident also highlights the importance of open source software and how necessary it is to keep up to date with new versions, vulnerabilities and best practices relating to software development. Eventually, these efforts will help protect users from future security incidents.


Leave a Reply

Your email address will not be published. Required fields are marked *