Supply chain, Vulnerability Management

Supply chain attacks likely with already-patched Packagist flaw

Threat actors could leverage an already-patched vulnerability in the Packagist PHP software package repository to facilitate supply chain attacks, reports The Hacker News. Exploiting the command injection flaw, tracked as CVE-2022-24828, could enable attackers to hijack package update requests and execute arbitrary commands on the backend server for malicious dependency delivery, according to a report from SonarSource. "Compromising [the backend services] would allow attackers to force users to download backdoored software dependencies the next time they do a fresh install or an update of a Composer package," noted SonarSource researcher Thomas Chauchefoin. Packagist has already issued fixes for the flaw, which remains unexploited in any attacks, in Composer versions 1.10.26, 2.2.12, and 2.3.5. "While supply chains can take different forms, one of them is significantly more impactful: By gaining access to the servers distributing these third-party software components, threat actors can alter them to obtain a foothold in the systems of their users," said Chauchefoin.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.