Sandworm actively monitors all new Composer package versions for security vulnerabilities and issues. This is an up-to-date list of our security findings, sorted by detection date.
Follow our π / Twitter feed for updates.
Detected On: 27 Oct 2023
Affected Install Script: install-scripts:post-install-cmd
Severity: moderate
The script is trying to install a composer package using Phive. The flags --force-accept-unsigned and --trust-gpg-keys bypass certain security checks. The first flag can accept packages without valid signatures, increasing the risk of installing malicious packages. The second flag could allow the script to accept keys that may not be trusted. This could lead to the installation of malicious packages signed with those keys, which may steal sensitive information, gain unauthorized access, or harm the system.
Detected On: 27 Oct 2023
Affected Install Script: install-scripts:post-update-cmd
Severity: moderate
The script removes all files in the app/etc/ directory and then removes the app/etc and app directories entirely. This may wipe out critical system or application configuration files and potentially render the system or the application inoperative. Moreover, the vendor/bin/phpcs --config-set installed_paths ../../magento/magento-coding-standard/ command potentially alters the locations from which PHP code sniffer rules are loaded, potentially giving a chance for execution of arbitrary code if those locations contain malicious scripts.
Detected On: 23 Oct 2023
Affected Install Script: install-scripts:post-install-cmd
Severity: moderate
The script is running the phive command with the --force-accept-unsigned flag, which will force the acceptance of unsigned phar files. This can be a major security concern as it allows the execution of potentially malicious or tampered-with files. Additionally, the --trust-gpg-keys flag might lead to trusting compromised keys. It is recommended to never use these flags unless you fully trust the source of the phar files.
Detected On: 23 Oct 2023
Affected Install Script: install-scripts:post-install-cmd
Severity: moderate
This script uses phive to install resources on the local machine. It includes the --force-accept-unsigned flag which allows to install unsigned packages. This can be dangerous as it can lead to the installation of unverified and potentially malicious packages. The --trust-gpg-keys could possibly allow malicious actors to intercept and modify data on the keys listed, leading to more security risks.
Detected On: 23 Oct 2023
Affected Install Script: install-scripts:post-install-cmd
Severity: moderate
The script is installing something using Phive without checking the progress. The flags --force-accept-unsigned and --trust-gpg-keys are used. This could potentially be a security risk. The --force-accept-unsigned flag makes Phive ignore the fact that a PHAR is not signed. This means the script could install a potentially untrusted or malicious PHAR. The --trust-gpg-keys flag means that Phive will trust these keys without checking them. This again could allow the installment of malicious code. Also, the provided GPG keys could be associated with compromised or false identity accounts, which again extends the security risks.
Detected On: 23 Oct 2023
Affected Install Script: install-scripts:post-install-cmd
Severity: moderate
The provided script installs a PHP package using phive, a tool for managing PHP packages. The flags --force-accept-unsigned and --trust-gpg-keys followed by various keys indicate that the script will force the installation of packages even if they are unsigned or signed with keys not originally trusted. This could lead to the installation of malicious software, as it bypasses an important security measure designed to ensure that only trusted, verified packages are installed.
Detected On: 23 Oct 2023
Affected Install Script: install-scripts:post-install-cmd
Severity: moderate
The script uses the Phive tool to install a package. However, it is forced to accept unsigned packages with the --force-accept-unsigned option which bypasses the usual guarantee that the package came from a trusted source and hasn't been tampered with. This alone already opens potential for attacks like the man-in-the-middle. Moreover, specific GPG keys are being explicitly trusted with the --trust-gpg-keys option. While trusting GPG keys isn't inherently dangerous, it can be if the keys belong to malicious parties. Without knowing the owners of these keys, we can't just assume they're safe.
Detected On: 23 Oct 2023
Affected Install Script: install-scripts:post-install-cmd
Severity: moderate
The script is using Phive to install a composer package but it's applying a few risky flags. The --force-accept-unsigned option automatically accepts downloading and installing packages that don't have a signed phar, which opens the door to potential malicious packages. The --trust-gpg-keys flag adds additional GPG keys to the trusted list. If these keys are compromised, it allows the installation of malicious packages. Therefore, this script has potential security risks if the keys or packages are not thoroughly verified.
Detected On: 23 Oct 2023
Affected Install Script: install-scripts:post-install-cmd
Severity: moderate
The script invokes the Phive tool and instructs it to install a package without progress indication, to forcefully accept unsigned packages, and to trust specific GPG keys. This presents several security risks. Notably, forcing unsigned packages could allow an attacker to load malicious code into the package. Trusting specific GPG keys without verification can also establish trust where it is not warranted, promoting man-in-the-middle attacks. The given keys themselves could potentially belong to malicious parties, and the script does not provide any way to verify that they are associated with the expected parties.
Detected On: 23 Oct 2023
Affected Install Script: install-scripts:post-install-cmd
Severity: moderate
The script is installing a package using 'phive', with the 'force-accept-unsigned' argument. This indicates that it will install the package even if it's not digitally signed. This is a potential risk as it allows for the execution of unverified, potentially malicious scripts. The 'trust-gpg-keys' argument also shows that it's explicitly trusting certain GPG keys. If these keys are not trustworthy, this could also pose a security risk.
