Shulou(Shulou.com)11/24 Report--

CTOnews.com, May 4, according to the foreign science and technology media bleepingcomputer, a security researcher hijacked 14 Packagist software packages, some of which have been installed hundreds of millions of times just to find a job.

The name and number of hijacked packages attached to CTOnews.com are as follows:

The researcher, whose screen name is neskafe3v1, announced to the media that he had taken over 14 Packagist packages, one of which had more than 500 million installations.

Packagist is the primary registry for PHP packages, which can be installed through the dependency management tool Composer. Instead of hosting these packages, Packagist acts more as a metadata directory, aggregating open source packages published to GitHub.

Developers can then install these packages on their machines by running the composer install command.

The researchers provided evidence to BleepingComputer that on Monday, May 1, the Packagist pages of these packages were modified to point to the researchers'(fake) repository rather than the legitimate GitHub repository for each package.

"as you can see, I am looking for a job," the researcher said. "these materials will be the stepping stone to my new job."

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.