packagist
Safeguard articles tagged "packagist" — guides, analysis, and best practices for software supply chain and application security.
6 articles
Composer/PHP Supply Chain Threats: 2025 Report
A senior engineer's 2025 report on Composer and Packagist supply chain threats: namespace abuse, abandoned maintainers, plugin hooks, and the attacks that actually landed on PHP shops.
Composer/PHP Package Supply Chain in 2026
PHP's Composer and Packagist ecosystem has quietly improved its supply chain story. Here is where things actually stand in 2026, and what PHP shops should do now.
Packagist's GitHub Webhook Flaw That Could Have Poisoned ...
A 2022 Packagist webhook vulnerability let a crafted GitHub branch name trigger command injection on Packagist's servers, threatening the entire PHP/Composer supply chain.
Malicious Composer packages on Packagist
Three malicious Composer package campaigns hit Packagist in under a year -- each sitting undetected for months. Here's what happened and how to catch the next one faster.
PHP Composer Security: Lockfiles, Packagist and Abandoned Packages
composer.lock is your integrity anchor, Packagist is a single point of trust, and roughly one in ten packages you depend on is quietly unmaintained. A field guide.
PHP Composer Dependency Security
Securing PHP applications through Composer lockfiles, Packagist verification, and automated vulnerability scanning.