Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons

Social Media

Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons
Search the Site
Popular Searches:
technology Amazon AI
Recent Posts
Cisco Catalyst Center Vulnerability Allows Remote Attackers to Read Arbitrary Files
July 2, 2026
Mapbox Flaw Lets Hackers Target Vulnerability Researchers with Python RAT
July 2, 2026
FCC Bans Chinese Telecom Equipment From Huawei, ZTE, Others Over Security Risks
July 2, 2026
Home/Threats/Packagist Composer Update Fixes GitHub Actions Token Leak
Threats

Packagist Composer Update Fixes GitHub Actions Token Leak

Key Takeaways A critical vulnerability in Composer, the PHP dependency manager, led to the exposure of GitHub authentication tokens. The flaw occurred when Composer encountered a new GitHub token...

David kimber
David kimber
May 14, 2026 3 Min Read
43 0

Key Takeaways

  • A critical vulnerability in Composer, the PHP dependency manager, led to the exposure of GitHub authentication tokens.
  • The flaw occurred when Composer encountered a new GitHub token format, causing it to print the full token into publicly visible CI logs.
  • Thousands of PHP projects using GitHub Actions were potentially affected, risking credential compromise.
  • GitHub has temporarily rolled back the new token format, but developers must still update Composer and audit logs for past exposures.

Composer Flaw Exposed GitHub Tokens in CI Logs

Packagist has issued an urgent advisory to the PHP development community regarding a critical vulnerability within Composer, the widely adopted PHP dependency manager. This flaw inadvertently exposed GitHub authentication tokens in publicly accessible continuous integration (CI) logs, raising significant concerns about credential compromise across a multitude of active software projects globally.

Table Of Content

  • Key Takeaways
  • Composer Flaw Exposed GitHub Tokens in CI Logs
  • Immediate Action Required: Update Composer
  • What You Should Do

The issue originated in late April 2026, when GitHub began a quiet rollout of an updated token format for its GitHub Actions service. This new format incorporated a hyphen within the token string, a character Composer’s internal validation logic was not designed to process.

Consequently, when Composer encountered one of these newly formatted tokens, it failed to validate it. Instead of handling the rejection discreetly, the tool printed the entire token value directly into the Actions log as part of a standard error message. This made the sensitive credential visible to anyone with access to the logs, requiring no advanced technical expertise to retrieve.

Researchers at Socket.dev were instrumental in highlighting the extensive scope and severity of this problem to the broader developer community. Their findings underscored that this was not an isolated incident or a theoretical risk, but a tangible threat capable of impacting any PHP project that integrates Composer within a GitHub Actions workflow.

The exposure was exacerbated by common operational practices. Many popular GitHub Actions setup workflows, such as those utilizing shivammathur/setup-php, automatically register the GITHUB_TOKEN into Composer’s global authentication configuration. If such a token matched the new, unsupported format during the rollout period, Composer’s rejection mechanism would inadvertently leak the full credential into the log without any explicit warning or visible indication to the developer managing the workflow.

Immediate Action Required: Update Composer

While GitHub has since reverted the new token format, thereby mitigating the immediate potential for fresh leaks, Packagist co-founder Nils Adermann emphasized that this rollback does not nullify previous exposures. Development teams are still strongly urged to update Composer and meticulously review their recent CI logs for any evidence of credential compromise before GitHub reattempts the rollout of the revised token format in the coming weeks.

Three distinct Composer versions now incorporate the official patch addressing this vulnerability. Developers operating modern environments should prioritize updating to Composer 2.9.8 or the long-term support release, Composer 2.2.28 LTS, without delay. For those still utilizing older branches, an update to Composer 1.10.28 is available, which also includes the fix. However, Packagist recommends transitioning to the Composer 2.x line whenever feasible for enhanced long-term security.

The implemented fix removes the rejected token value entirely from Composer’s error output and also relaxes the validation logic. This adjustment means the tool no longer relies on a hardcoded character pattern for token checks, significantly improving Composer’s resilience to future token format modifications from any platform. The overarching lesson is clear: access tokens should be treated as opaque strings, and assumptions about their length, structure, or character set should be avoided, especially as platforms continuously evolve these formats.

What You Should Do

  • Update Composer Immediately: Ensure all installations are updated to Composer 2.9.8, 2.2.28 LTS, or 1.10.28.
  • Audit GitHub Actions Logs: Review recent GitHub Actions logs for any failed Composer runs that might have inadvertently printed a token value.
  • Delete Exposed Log Entries: Where token exposure is identified, delete the relevant log entries to prevent further access.
  • Rotate Compromised Tokens: Treat any token suspected of exposure as compromised and rotate it immediately. GitHub-hosted runner tokens typically expire rapidly, but self-hosted runner tokens can remain valid for up to 24 hours.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.

Tags:

PatchSecurityVulnerability

Share Article

David kimber

David kimber

David is a penetration tester turned security journalist with expertise in mobile security, IoT vulnerabilities, and exploit development. As an OSCP-certified security professional, David brings hands-on technical experience to his reporting on vulnerabilities and security research. His articles often feature detailed technical analysis of exploits and provide actionable defense recommendations. David maintains an active presence in the security research community and has contributed to multiple open-source security tools.

Previous Post

Seedworm APT Exploits Fortemedia, SentinelOne DLL Sideloading

Next Post

Critical Langflow CVE-2026-33017 vulnerability lets attackers steal AWS keys

No Comment! Be the first one.

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Popular Posts
CISA Warns of Microsoft SharePoint Server Code Execution Vulnerability Exploited in Attacks
July 2, 2026
Chrome API Flaw Exposes Android Photos to Ransomware
July 2, 2026
WinRAR 7.23 Patches Critical Heap Overflow Vulnerability CVE-2024-XXXX
July 2, 2026
Top Authors
Marcus Rodriguez
Marcus Rodriguez
Jennifer sherman
Jennifer sherman
Emy Elsamnoudy
Emy Elsamnoudy
Let's Connect
156k
2.25m
285k

Related Posts

Jennifer sherman
By Jennifer sherman
Threats

GlassWorm Attacks macOS via Malicious VS Code…

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Attacks

ClickFix Attack Hides Malicious Code via Stegan Security

January 1, 2026
Sarah simpson
By Sarah simpson
Vulnerabilities

MongoBleed Detector Tool Released to Detect MongoDB Vulnerability(CVE-2025-14847)

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Breaches

Conti Ransomware Gang Leaders & Infrastructure Exposed

January 1, 2026
Hackers News Hackers News
  • [email protected]

Quick Links

  • Contact Us
  • Privacy Policy
  • Terms of service

Categories

Attacks
Breaches
Comparisons
CyberSecurity News
Threats
Vulnerabilities

Let's keep in touch

receive fresh updates and breaking cyber news every day and week!

All Rights Reserved by HackersRadar ©2026

Follow Us