Composer is a tool tracked across 5 threat clusters and 9 intelligence report mentions on ThreatCluster. First observed March 17, 2026; most recent activity June 26, 2026.
Two command injection vulnerabilities, CVE-2026-40176 and CVE-2026-40261, have been identified in Composer's Perforce VCS driver, allowing attackers to execute arbitrary commands on user systems. CVE-2026-40176,…
On May 22, 2026, a supply chain attack targeted Laravel Lang localization packages, compromising 233 versions across four repositories. Attackers exploited GitHub's version tagging system to redirect legitimate tags to…
A recent change in GitHub's token format has led to a security vulnerability in Composer, exposing sensitive GitHub authentication tokens in CI/CD logs. This flaw affects PHP developers globally, as the outdated…
A supply chain attack has compromised OphimCMS, a Vietnamese-language Laravel CMS, through six malicious Composer packages published on Packagist. These packages, disguised as legitimate themes, contain trojanized…
On June 26, 2026, Private Packagist announced enhancements to its malware blocking capabilities for Composer users, particularly those using version 2.10. The updates prevent the installation of flagged malware…