PHP software package repository Packagist revealed that an “attacker” gained access to four inactive accounts on the platform to hijack over a dozen packages with over 500 million installs to date.
“The attacker forked each of the packages and replaced the package description in composer.json with their own message but did not otherwise make any malicious changes,” Packagist’s Nils Adermann said