Attacks keep coming. In the past weeks alone, attackers seized GitHub accounts and stolen tokens to push malicious tags on popular PHP packages. The incidents hit hard. Laravel-lang packages saw over 700 historical versions compromised on May 22 and 23, 2026, according to Snyk . Days earlier, intercom/intercom-php fell victim on April 30. But the response from the maintainers of Composer and Packagist.org shows deliberate progress. Their latest blog post lays out concrete defenses already deployed, features rolling out this week, and longer-term plans that address the root problems of mutable releases and weak maintainer accounts. Packagist blog details it all. One coordinated campaign in May infected eight packages. The malicious code hid in package.json files rather than composer.json . It targeted projects mixing JavaScript build tools with PHP. “Although the affected packages were all Composer packages, the malicious code was not added to composer.json,” Socket said.…