Composer
Laravel-Lang Supply Chain Attack: 233 Package Versions Backdoored to Steal Cloud and CI/CD Secrets
Attackers repointed git tags across four Laravel-Lang Composer packages to a malicious fork, backdooring 233 versions with a credential stealer that drains cloud, CI/CD, and developer secrets.
Composer Command Injection (CVE-2026-40261, CVE-2026-40176): Any Malicious Repository Can Execute Code on Your Build Machines
Two high-severity command injection flaws in PHP's Composer package manager allow arbitrary command execution via malicious repository metadata — no Perforce installation required for the worst one.