A critical vulnerability was discovered and responsibly disclosed to help secure the PHP supply chain. The vulnerability allows gaining control of Packagist, a central component used by the PHP package manager Composer to determine and download software dependencies. Virtually all organizations using PHP code are affected, with over 100 million requests potentially compromised every month. The maintainers of the public instance were patched within hours, but users integrating Composer as a library should upgrade to version 1.10.26 or later for security patches. A similar vulnerability was discovered last year and fixed in a similar manner. Supply chain attacks are becoming increasingly common, exploiting the fact that modern software is built on top of third-party components without clear visibility of all downloaded packages. This vulnerability highlights the importance of maintaining secure supply chains and encourages developers to review their dependencies regularly.