bc1q3909urygy90qhytu32344ws0t5vy085y0h7xc8 0x71faaDcAF2538e7346885F772FBAcb88740059A8 49PeCUfdgmG1ZMAzUxz2WFWiRDbDrycrJ8qYVfxBq6HWCHjk7uncaoESm7CRF5DtxcFgStuvyvcfUD3p4xU33F8dPep53MP 2 analyses tagged packagist, sorted newest first.
Four Laravel-Lang repositories were compromised through rewritten Composer tags that loaded a PHP backdoor through Composer autoload. Maintainers restored the tags on May 23, but installs from the exposure window require credential rotation and commit-level verification.
A campaign inserted malicious package.json postinstall hooks into Packagist-linked GitHub repositories, causing npm install workflows to download and execute a GitHub Releases binary as /tmp/.sshd.