An Update on Composer and Packagist Supply Chain Security

Summary

The last months, and even more so the last weeks, saw an increasing amount of software supply chain attacks targeting open-source ecosystems. A handful of these have hit the PHP ecosystem too, via taken-over GitHub accounts and stolen access tokens that let attackers publish new tags on packages they had no legitimate access to. Most notably laravel-lang on May 22 and intercom/intercom-php on April 30th.This post is an update on where Composer and Packagist.org's supply chain security work stands right now: what's already in place, what ships in the next few weeks, and the longer-running projects we're working through. We've been focused on this area for close to a year, and there's enough to cover that it's worth pulling it together in one place.If you maintain any package on Packagist.org and don't have MFA enabled, please enable it now. We will begin to publish package maintainer MFA status to package transparency logs and it will be visible on profiles. See the MFA section below for details.TL;DRIn place today:Aikido malware detection integrated into Packagist.org and the package metadata Composer consumes (open to further data providers with appropriate free licenses).Rapid manual incident response by the Packagist team.Public transparency log, which accurately recorded the git tag modifications used in the recent attacks.Shipping this week:Composer 2.10, introducing a unified dependency policy framework that covers malware-flagged versions, vulnerability advisories, and abandoned packages.Stable version immutability on Packagist.org: Tagged versions can no longer be silently rewritten by re-tagging in git repositories.New supply chain security features in Private Packagist for organization-wide control, to be detailed in follow-up posts over the next few days.More predictable composer install download behavior (deprecation of source fallbacks).Coming in the next weeks and months:Minimum-release-age / cooldown dependency policy in Composer.Improved admin toolin...