GitHub Token Leak Exposes PHP Projects to Credential Theft A recent format change in GitHub’s authentication tokens has triggered a critical security flaw, exposing thousands of PHP projects to potential credential theft. The issue, discovered in late April 2026, stems from GitHub’s rollout of a new, variable-length token format that includes hyphens a character not recognized by Composer’s validation system. When Composer encountered the updated tokens, its regex validation failed, causing the tool to log the full, unredacted tokens in error logs instead of masking them. This vulnerability affects projects using Composer in GitHub Actions workflows, particularly those leveraging the widely adopted shivammathur/setup-php action, which automatically registers these tokens in Composer’s global authentication settings. The risk varies by runner type: tokens on GitHub-hosted runners expire within 6 hours, while those on self-hosted runners remain valid for up to 24 hours. Since GitHub App tokens may carry broad permissions, exposed credentials could grant attackers significant access to repositories and CI/CD pipelines. On May 13, 2026, GitHub temporarily reverted the token format change to halt further exposure, providing a brief window for developers to patch their systems. Composer versions 2.9.8, 2.2.28 LTS, and 1.10.28 (for legacy systems) now include fixes that relax validation rules and prevent token leakage in logs. Packagist confirmed that packagist.org and Private Packagist were unaffected, with the latter already mitigating the issue. The incident underscores the risks of parsing or validating secrets against rigid assumptions, as evolving platform standards can introduce unforeseen vulnerabilities. Developers are advised to audit recent GitHub Actions logs for exposed tokens and revoke any compromised credentials.

Critical Command Injection Vulnerabilities Patched in PHP Composer PHP Composer, the widely used dependency management tool for PHP developers, has released urgent security updates to address two critical command injection vulnerabilities. The flaws, tracked as CVE-2026-40176 and CVE-2026-40261, affect the Perforce Version Control System (VCS) driver and could allow attackers to execute arbitrary commands on a victim’s machine. The vulnerabilities stem from insufficient escaping of values when constructing shell commands. CVE-2026-40176, discovered by researcher saku0512, enables command injection via manipulated connection parameters (e.g., port, user, or client) in a malicious composer.json file. This attack requires a developer to manually run Composer commands on an untrusted project directory. CVE-2026-40261, reported by Koda Reef, involves improper escaping when appending source reference parameters, allowing exploitation through tainted package metadata even without Perforce installed on the target system. The PHP Composer team confirmed no evidence of active exploitation before disclosure. Proactive scans of Packagist.org and Private Packagist found no malicious packages leveraging these flaws. As a precaution, Perforce source metadata publication was disabled on both platforms on April 10, 2026. Users are advised to update to Composer 2.9.6 or the LTS version 2.2.27 immediately. Temporary mitigations include avoiding source-based dependency installation (using `--prefer-dist`), verifying composer.json files in untrusted projects, and relying on trusted repositories. Self-hosted Private Packagist users will receive verification tools to scan for malicious metadata.