Security News > 2021 > April > A New PHP Composer Bug Could Enable Widespread Supply-Chain Attacks
The maintainers of Composer, a package manager for PHP, have shipped an update to address a critical vulnerability that could have allowed an attacker to execute arbitrary commands and "Backdoor every PHP package," resulting in a supply-chain attack.
"Fixed command injection vulnerability in HgDriver/HgDownloader and hardened other VCS drivers and downloaders," Composer said its release notes for versions 2.0.13 and 1.10.22 published on Wednesday.
Composer is billed as a tool for dependency management in PHP, enabling easy installation of packages relevant to a project.
It also allows users to install PHP applications that are available on Packagist, a repository that aggregates all public PHP packages installable with Composer.
The first "Alpha" version of Composer was released on July 3, 2013.
"The impact to Composer users directly is limited as the composer.json file is typically under their own control and source download URLs can only be supplied by third party Composer repositories they explicitly trust to download and execute source code from, e.g. Composer plugins," Jordi Boggiano, one of the primary developers behind Composer, said.
News URL
Related news
- It's only a matter of time before LLMs jump start supply-chain attacks (source)
- PlushDaemon APT Targets South Korean VPN Provider in Supply Chain Attack (source)
- IPany VPN breached in supply-chain attack to push custom malware (source)
- Supply chain attack hits Chrome extensions, could expose millions (source)
- Abandoned AWS S3 buckets can be reused in supply-chain attacks that would make SolarWinds look 'insignificant' (source)
- North Korea targets crypto developers via NPM supply chain attack (source)