Composer
Coverage of Composer in the Nexus archive.
- An Update on Composer and Packagist Supply Chain Security
The article discusses recent security updates for Composer and Packagist, focusing on enhancing supply chain security measures. Key improvements include stronger authentication and vulnerability checks to protect PHP package dependencies.
- Laravel Lang packages hijacked to deploy credential-stealing malware
A supply chain attack exploited Laravel Lang localization packages by hijacking GitHub version tags to distribute credential-stealing malware via Composer packages, exposing developers to a sophisticated malware campaign.
- Packagist Supply Chain Attack Infects 8 Packages Using GitHub-Hosted Linux Malware
A coordinated supply chain attack has compromised eight packages on Packagist, injecting malicious code that executes a Linux binary hosted on GitHub Releases. The attack targeted JavaScript projects by inserting malicious content into package.json, bypassing composer.json in Composer packages.
- New PHP Composer Flaws Enable Arbitrary Command Execution — Patches Released
Two high-severity command injection vulnerabilities in Composer's Perforce VCS driver could allow arbitrary command execution. Patches have been released to address these flaws, which are tracked as CVE-2026-40176 and another unspecified CVE.