Recent supply chain attacks have hit the PHP ecosystem, including laravel-lang and intercom/intercom-php packages compromised through GitHub account takeovers. Packagist.org has responded with Aikido malware detection and rapid incident response. The transparency log now tracks security events, helping identify manipulated git tags in recent attacks. Maintainers without MFA face increased security risks.

Composer 2.10 introduces a unified dependency policy framework covering malware, vulnerabilities, and abandoned packages. Packagist.org will implement version immutability to prevent tag rewrites. Private Packagist gains organization-wide security controls. These steps address immediate concerns while providing more predictable installation behavior through deprecating source fallbacks in dependency resolution.

Future plans include mandatory MFA across Packagist with stricter requirements for organizations. Organizational Package Ownership will replace shared accounts with proper multi-user management. The platform aims for SLSA build provenance and Sigstore attestations verification. These measures target OpenSSF Securing Software Repositories Working Group principles at higher security levels, focusing on L3 authorization.