Newly disclosed vulnerability in PHP package repository highlights growing software supply chain risks

Key takeaway: Attackers are increasingly trying to infiltrate software development environments via malicious and poisoned packages on public code repositories. Robust SBOM and SCA practices are key to mitigating the threat [289 words]

What: Researchers at SonarSource have disclosed a new vulnerability (CVE-2022-24828) in PHP package repository Packagist that gives attackers a way to execute arbitrary code on the server running the official instance of Packagist. A patch is available for the flaw.

Why it matters: Composer, the standard application-level dependency manager for PHP uses Packagist to fetch the metadata and dependencies associated with a given PHP package. The metadata includes the name of the package and from where it should be downloaded. The vulnerability gives attackers a way to force users to download backdoored dependencies the next time they update a Composer package or do a fresh install. Composer serves two billion software packages every month. Potentially one hundred million of these requests “could have been hijacked to distribute malicious dependencies and compromise millions of servers,” according to SonarSource.

Illustrative Example of Software Life Cycle and Bill of Materials Assembly Line (Source: NIST)

The big picture: Commercial software developers and organizations rely extensively on open-source components for building applications. A study by Synopsys showed some 97% of all written software contains open-source code. The percentage of open-source code in codebases tends to vary by industry: In the IoT sector 92% of code that Synopsys audited for the study was open-source; the number was around 60% for code in the aerospace, automotive, transportation and aviation sectors.

Attackers have sensed an opportunity and are increasingly attempting to infiltrate development environments by planting poisoned and malicious packages in open-source repositories.


SonarSource vulnerability report

Packagist alert

Recommended reading: NIST Guidance on SBOMs