Threat actors could leverage an already-patched vulnerability in the Packagist PHP software package repository to facilitate supply chain attacks, reports The Hacker News.
Exploiting the command injection flaw, tracked as CVE-2022-24828, could enable attackers to hijack package update requests and execute arbitrary commands on the backend server for malicious dependency delivery, according to a report from SonarSource.
"Compromising [the backend services] would allow attackers to force users to download backdoored software dependencies the next time they do a fresh install or an update of a Composer package," noted SonarSource researcher Thomas Chauchefoin.
Packagist has already issued fixes for the flaw, which remains unexploited in any attacks, in Composer versions 1.10.26, 2.2.12, and 2.3.5.
"While supply chains can take different forms, one of them is significantly more impactful: By gaining access to the servers distributing these third-party software components, threat actors can alter them to obtain a foothold in the systems of their users," said Chauchefoin.
SiliconAngle reports that mounting cybersecurity threats against the hardware supply chain have prompted the Cybersecurity and Infrastructure Security Agency to unveil a new framework aimed at bolstering risk assessment and mitigation in the supply chain.
The strategy is designed to focus federal resources towards better investment in a range of emerging technologies while also building an environment for innovation and a stable of qualified domestic workers for businesses and governments to tap.