PHP

Browse all articles, tutorials, and guides about PHP

2posts

Posts

⌘K

2026-05-23|10 min read

When the Malicious Hook Is in the Other Manifest: 700+ Repos, 8 Packagist Packages, One package.json Trick

On May 22, 2026, Socket disclosed a Composer supply chain attack that hid an npm-style postinstall command inside package.json on PHP projects. composer.json was clean, the PHP review missed it, and 700+ GitHub repos pulled it in. Here is the exact payload, why ecosystem-boundary blindness keeps catching teams, and how to wire your CI to look at both manifests.

Security

2026-04-14|6 min read

Two Composer Command Injection Flaws Let Attackers Run Arbitrary Code - Even Without Perforce

CVE-2026-40176 and CVE-2026-40261 affect all Composer 2.x versions. A malicious composer.json or crafted package metadata can execute OS commands on your machine. Upgrade to 2.9.6 now.