Thursday, August 5, 2021

PHP neighborhood sidesteps its third provide chain assault in three years – Bare Safety

Swiss cybersecurity researchers recently found security holes in Composer, the software tool that programming teams use to access Packagist, the PHP ecosystems’s major online repository of PHP software modules.

These bugs could have allowed cybercriminals to poison the Packagist system itself, thus tainting the very watering hole at which a large part of the PHP community comes to drink.

That sort of cyberassault is known, for obvious reasons, as a supply chain attack.

Fortunately the Composer team responded with a hotfix within just 12 hours, and an official patch within five days.

Even though the researchers reported that “[s]ome of the vulnerable code [was] present since the first versions of Composer, 10 years ago,” it seems that this was the first time these flaws were spotted.

In other words, it looks as though the Good Guys got to these bugs before any Bad Guys did.