Bars Icon

Researcher hijacks popular Packagist PHP packages to get a job

11-12-2023 12:48 PM

A researcher hijacked over a dozen Packagist packages—with some having been installed hundreds of millions of times over the course of their lifetime.

The researcher reached out to BleepingComputer stating that by hijacking these packages he hopes to get a job. And, he seems pretty confident that this would work.

At least 14 Packagist packages hijacked

Yesterday, a researcher with the pseudonym ‘neskafe3v1’ reached out to BleepingComputer stating he had taken over fourteen Packagist packages, with one of them having over 500 million installs.

Packagist is the primary registry of PHP packages that are installable via Composer, a dependency management tool. Rather than hosting these packages though, Packagist serves more as a metadata directory that aggregates open source packages published to GitHub. These packages can then be installed by developers on their machines by running the composer install command.The researcher provided proof to BleepingComputer demonstrating that on Monday, May 1, the Packagist pages for these packages were modified to point to the researcher’s (fake) repo, as opposed to the legitimate GitHub repository for each package.As an example, here’s how the Packagist page for acmephp package appeared on Monday—with its GitHub link changed to researcher’s repo instead of the authentic github.com/acmephp/acmephp.
These changes have now been reverted by the Packagist team as checked by BleepingComputer.
Publishing process on Packagist is a bit different from that on open source repos like npm or PyPI. A developer, as opposed to uploading binaries or software releases directly to Packagist.org, simply creates a Packagist.org account, and “submits” a link to their GitHub repo for a particular package. Packagist’s crawler then visits the provided repo and aggregates all the data to display on the Packagist page for that package.When a developer runs Composer with ‘install’ or ‘update’ commands, their Composer instance may first look for the presence of the packages locally, failing which, it defaults to searching on Packagist for this package and retrieving the GitHub URL listed for that package. The contents of the package are then downloaded from this GitHub repo listed on the package’s Packagist page.
This is in stark contrast to how npm or PyPI works—that is, these registries host and distribute software releases directly from their servers.