Packagist Urges Immediate Composer Update After GitHub Actions Token Leak

What Happened

A bug in the PHP package manager, Composer, caused it to accidentally print secret GitHub access tokens into system logs when it didn't recognize a newly introduced token format. Software development teams using older versions of Composer within GitHub Actions are affected. If these secret tokens are exposed in logs, anyone with access to those logs could potentially misuse them to gain unauthorized access to code repositories or internal systems. Developers should immediately update Composer to the latest patched versions and review their recent automated run logs to delete any exposed secrets.

Key Takeaways

• Composer versions prior to 2.9.8, 2.2.28 LTS, and 1.10.28 can leak GitHub Actions tokens to CI logs upon validation failure.
• The issue was triggered by a new GitHub token format containing hyphens, which broke Composer's validation regex.
• GitHub has temporarily rolled back the token format change, reducing immediate risk, but updates are still required.
• PHP projects using Composer in GitHub Actions must update immediately to prevent future credential exposure.
• Teams should review recent CI logs for exposed tokens, delete affected logs, and check for unexpected activity.

Affected Systems

• Composer < 2.9.8
• Composer < 2.2.28 LTS
• Composer < 1.10.28
• GitHub Actions
• PHP Projects

Attack Chain

A PHP project executes a GitHub Actions workflow that utilizes Composer and provides a GitHub token for authentication. Composer attempts to validate the token against a hardcoded regular expression. Because the token uses a newly introduced GitHub format containing a hyphen, the validation fails. Composer then inadvertently writes the full, unredacted token to stderr, exposing the credential in the GitHub Actions run logs.

Detection Availability

• YARA Rules: No
• Sigma Rules: No
• Snort/Suricata Rules: No
• KQL Queries: No
• Splunk SPL Queries: No
• EQL Queries: No
• Other Detection Logic: No

N/A

Detection Engineering Assessment

EDR Visibility: None — This is a CI/CD pipeline logging issue occurring within GitHub Actions infrastructure, not on EDR-monitored endpoints. Network Visibility: None — The exposure happens within the CI/CD platform's internal logging mechanism, not over monitored network traffic. Detection Difficulty: Moderate — Requires scanning historical CI/CD logs for exposed token patterns specifically within failed Composer steps, which may require custom log parsing tools.

Required Log Sources

• GitHub Actions Run Logs
• CI/CD Pipeline Logs

Hunting Hypotheses

Hypothesis	Telemetry	ATT&CK Stage	FP Risk
Consider hunting for exposed GitHub tokens in recent GitHub Actions logs by searching for the ghs_ prefix within failed Composer execution steps.	CI/CD Pipeline Logs	Credential Access	Low

Control Gaps

• Secret scanning tools that do not scan historical CI/CD run logs dynamically

Key Behavioral Indicators

• Failed Composer runs in GitHub Actions logs
• Presence of ghs_ or GITHUB_TOKEN values in stderr output of CI jobs

False Positive Assessment

• Low

Recommendations

Immediate Mitigation

• Verify against your organization's incident response runbook and team escalation paths before acting.
• Update Composer to version 2.9.8, 2.2.28 LTS, or 1.10.28 in all CI/CD pipelines.
• Review recent GitHub Actions logs for failed Composer runs and delete any logs containing exposed tokens.
• Revoke and rotate any GitHub App installation tokens or personal access tokens that may have been exposed in recent CI runs.

Infrastructure Hardening

• Evaluate whether secret scanning is enabled and configured to alert on exposed tokens in CI/CD logs.
• Ensure CI/CD workflows are configured to mask known secrets in log outputs where supported by your tooling.

User Protection

• N/A

Security Awareness

• Remind development teams to avoid hardcoding token validation patterns based on length or character sets, as platform token formats frequently change.

MITRE ATT&CK Mapping

• T1552.001 - Credentials In Files