Packagist Urges Immediate Composer Update After GitHub Actions Token Leak
Composer vulnerability exposed GitHub Actions tokens in CI logs due to token format validation regex mismatch.
Summary
Packagist urgently warned PHP projects to update Composer after a GitHub token format change caused authentication tokens to be exposed in GitHub Actions CI logs. Composer versions 2.9.8, 2.2.28 LTS, and 1.10.28 fix a vulnerability where the tool would print full GITHUB_TOKEN or GitHub App installation token values to stderr when validation failed against an outdated regex pattern. Although GitHub has since rolled back the token format change, the fix is critical for projects that may have already exposed credentials during the brief exposure window.
Full text
Security Newsfsnotify Maintainer Dispute Sparks Supply Chain ConcernsA dispute over fsnotify maintainer access set off supply chain alarms around one of Go’s most widely used filesystem libraries.By Sarah Gooding - May 08, 2026
Indicators of Compromise
- malware — GITHUB_TOKEN exposure via Composer stderr