Security News > 2023 > May > Researcher hijacks popular Packagist PHP packages to get a job
The researcher reached out to BleepingComputer stating that by hijacking these packages he hopes to get a job.
Yesterday, a researcher with the pseudonym 'neskafe3v1' reached out to BleepingComputer stating he had taken over fourteen Packagist packages, with one of them having over 500 million installs.
Packagist is the primary registry of PHP packages that are installable via Composer, a dependency management tool.
Rather than hosting these packages though, Packagist serves more as a metadata directory that aggregates open source packages published to GitHub.
The researcher provided proof to BleepingComputer demonstrating that on Monday, May 1, the Packagist pages for these packages were modified to point to the researcher's repo, as opposed to the legitimate GitHub repository for each package.
The researcher additionally told BleepingComputer that he had not abused the technique to distribute malware, but at the same time, said he had not notified either Packagist admins or the package owners of the little experiment-which raises eyebrows with regards to the 'ethical' nature of this research.