Version tags on Packagist.org are now immutable — the exact trick the attacker used to rewrite tags to their malicious fork is now rejected at the registry level. Also: composer install now blocks malware even if it already slipped into your lockfile, and composer audit now fails on flagged malware versions. run: composer self-update to update full breakdown: https://medium.com/@abderahmane.merradou/update-composer-now-version-2-10-blocks-the-exact-attack-that-hit-laravel-on-may-22-a46e54bdbefd submitted by /u/True_Musician_3911 [link] [comments]