Masu gudanarwa na ma'ajiyar kunshin Packagist sun bayyana bayanai game da harin da ya haifar da sarrafa asusun ajiyar dakunan karatu na PHP guda 14, gami da shahararrun fakitin kamar su instantiator (kayayyakin shigarwa miliyan 526 gabaɗaya, shigarwar miliyan 8 a kowane wata, fakitin dogara 323), sql -formatter (94 miliyan jimlar shigarwa, 800 dubu kowane wata, 109 dogara kunshin), rukunan-cache-bundle (73 miliyan jimlar shigarwa, 500 dubu a wata, 348 dogara kunshin) da rcode-gane-decoder (20 miliyan jimlar shigarwa, 400 dubu a kowane wata, 66 abubuwan dogara).
Bayan ya lalata asusun, maharin ya gyara fayil ɗin composer.json, yana ƙara bayanai a cikin filin bayanin aikin cewa yana neman aikin da ya danganci tsaro na bayanai. Don yin canje-canje ga fayil ɗin composer.json, maharin ya maye gurbin URLs na wuraren ajiyar asali tare da hanyoyin haɗi zuwa cokali mai yatsu da aka gyara (Packagist yana ba da metadata kawai tare da hanyoyin haɗin kai zuwa ayyukan da aka haɓaka akan GitHub; lokacin shigarwa tare da "shigar mawaƙa" ko "sabuntawa mawaƙa" umarni, ana zazzage fakiti kai tsaye daga GitHub). Misali, don kunshin acmephp, an canza ma'ajiyar da aka haɗa daga acmephp/acmephp zuwa neskafe3v1/acmephp.
A bayyane yake, an kai harin ne ba don aikata munanan ayyuka ba, amma a matsayin nuna rashin amincewa da halin rashin kulawa ga amfani da kwafin takaddun shaida a shafuka daban-daban. A lokaci guda kuma, maharin, sabanin tsarin da aka kafa na "hacking na ɗabi'a," bai sanar da masu haɓaka ɗakin karatu da masu kula da ɗakunan ajiya a gaba ba game da gwajin da ake gudanarwa. Daga baya maharin ya sanar da cewa bayan ya samu nasarar samun aikin, zai fitar da cikakken rahoto kan hanyoyin da aka bi wajen kai harin.
Dangane da bayanan da masu gudanar da Packagist suka buga, duk asusun da ke sarrafa fakitin da aka yi sulhu sun yi amfani da kalmomin sirri masu sauƙi ba tare da ba da damar tantance abubuwa biyu ba. An yi zargin cewa asusun ajiyar da aka yi wa kutse sun yi amfani da kalmomin sirri da aka yi amfani da su ba kawai a cikin Packagist ba, har ma da wasu ayyuka, wadanda a baya bayanan sirrin kalmar sirri sun lalace kuma sun kasance a bayyane. Ɗaukar imel ɗin masu asusun asusu waɗanda ke da alaƙa da wuraren da suka ƙare kuma ana iya amfani da su azaman zaɓi don samun dama.
Fakitin da aka daidaita:
- acmephp/acmephp (124,860 shigarwa ga dukan rayuwar kunshin)
- acmephp/core (419,258)
- acmephp/ssl (531,692)
- koyaswar/ koyaswar-cache-bundle (73,490,057)
- koyarwa/ koyaswar-module (5,516,721)
- koyaswar/ koyaswar-mongo-odm-module (516,441)
- koyarwa/ koyaswar-orm-module (5,103,306)
- koyaswar/mafarauta (526,809,061)
- Littafin girma/littafin girma (97,568
- jdorn/fayil-tsarin-cache (32,660)
- jdorn/sql-tsara (94,593,846)
- khanamiryan/qrcode-gano-dikodi (20,421,500)
- abu-calisthenics/phpcs-calisthenics-dokokin (2,196,380)
- tga/simhash-php, tgalopin/simhashphp (30,555)
source: budenet.ru