PHP software package repository Packagist has revealed that “attackers” accessed four inactive accounts on the platform to hijack more than a dozen packages that have been installed more than 500 million times to date. bottom.
According to Packagist’s Nils Adermann, “The attackers forked each package and replaced the package description in composer.json with their own message, but made no other malicious changes.” . “The package’s URL was then changed to point to the forked repository.”
The four user accounts were said to have access to a total of 14 packages, including several Doctrine packages. The incident occurred on May 1, 2023. Here is the full list of affected packages –
- acmephp/acmephp
- acmephp/core
- acmephp/ssl
- doctrine/doctrine-cache-bundle
- Doctrine/Doctrine Module
- doctrine/doctrine-mongo-odm-module
- doctrine/doctrine-orm-module
- doctrine/instantiator
- Growth Book/Growth Book
- jdorn/file system cache
- jdorn/sql formatter
- khanamiryan/qrcode-detector-decoder
- object-gymnastics/phpcs-gymnastics-rules
- tga/simhash-php
Security researcher Ax Sharma, writing for Bleeping Computer, revealed that these changes were made by an anonymous penetration tester under the pseudonym “neskafe3v1” in an attempt to get a job. bottom.
Simply put, the attack chain allowed the Packagist page for each of these packages to change to the GitHub repository of the same name, effectively changing the installation workflow used within the Composer environment.
A successful exploit results in developers downloading the package getting the forked version instead of the actual content.
Packagist states that no additional malicious modifications were distributed and all accounts were disabled and packages restored on May 2, 2023. He also urges users to enable two-factor authentication (2FA) to protect their accounts.
“All four accounts appear to have used shared passwords that were leaked in previous incidents on other platforms,” Adermann said. “Don’t reuse passwords.”
The development began when cloud security company Aqua identified thousands of public cloud software registries and repositories containing over 250 million artifacts and over 65,000 container images.
Misconfigurations incorrectly connect the registry to the Internet, allow anonymous access by design, use default passwords, and give users upload privileges that can be abused to pollute the registry with malicious code. It is due to the grant to
“In some of these cases, anonymous user access allows potential attackers to obtain confidential information, such as secrets, keys, and passwords, which can lead to serious software supply chain attacks and software development life cycle (SDLC) attacks. ),” researchers Mor Weinberger and Assaf Morag revealed late last month.
