Co-Founder of @packagist / packagist.com and Co-Creator of #composerphp - he/him - @naderman@phpc.social
Joined January 2008
- Tweets 7,723
- Following 1,206
- Followers 5,266
- Likes 22,907
418 Photos and videos
Nils Adermann retweeted
Jun 12
🧩 Composer plugins are powerful, but execute code during install & update. Composer prompts to allow a plugin, but a distracted "yes" or an AI agent on autopilot is all it takes. Private Packagist now has org-level allowlists for plugins. #php #phpc #composerphp
ALT Private Packagist: Restricting Composer plugins across your organization Shield icon behind a jigsaw puzzle piece representing a plugin, connecting to multiple puzzle pieces with checkmarks or crosses underneath a building and a group of 3 people
1
6
19
1,405
Nils Adermann retweeted
Jun 11
What if you could have 1,000 tools exposed from your MCP server?
Sentry doesn't have a thousand, but now we give you a lot more out of the box, with no real degredation in usability or always-on context.
cra.mr/a-bigger-toolbox-for-…
10
4
50
16,418
Nils Adermann retweeted
⚠️ Real PHP packages. Real attacks. Real consequences.
@naderman is live in 5 mins at #PHPverse 2026 breaking down how supply chain attacks hit the PHP ecosystem – and everything Packagist has done to fight back.
If you use #composerphp, this is required viewing 👉 bit.ly/4aEOWCv
4
32
1,783
new shai hulud wave. interestingly it has this inside the payload to trigger safety refusals in potential defensive scans.
Jun 8
We are now tracking 471 affected artifacts across npm and PyPI in the Mini Shai-Hulud/Miasma/Hades campaign.
The newer PyPI artifacts from this wave have been added to the dedicated campaign tracker.
Full breakdown:
socket.dev/blog/mini-shai-hu…
15
64
424
121,704
Jun 8
Looking forward to talking about Composer and Packagist Supply Chain Security in 2026 at the JetBrains PHPverse 2026 on June 9 - Join us for a free virtual event bringing together developers, ideas, and energy from across the PHP ecosystem. #PHPverse2026 jb.gg/3ldzpb
1
6
18
1,304
Nils Adermann retweeted
Jun 6
Trusted publishing via OIDC to package registries pushed the problem to GitHub, where PATs and CLI tokens are arguably much worse than NPM tokens.
This will get worse before it gets better unless GitHub rips the bandaid off and kills classic PATs shifts CLI to sane AuthN.
4
1
16
2,524
Nils Adermann retweeted
Jun 4
Ever found yourself accidentally merging changes to the public API of a PHP package and regretting it later? I made a GitHub Action to help prevent that. seld.be/notes/surfacing-publ…
1
7
21
1,527
Nils Adermann retweeted
Jun 4
The Composer CLI is part of your supply chain. Older versions miss the protections in 2.10 and carry known CVEs of their own.
Private Packagist customers can now enforce which Composer client versions can talk to their repository.
#php #phpc #composerphp
ALT Private Packagist: Enforce a Safe Composer Version Across Your Organization 3 groups of people connecting to a package with the composer logo and a checkmark in front of a shield icon
1
8
21
1,746
Nils Adermann retweeted
May 29
php devs, we no longer need to duct-tape python scripts just to parse a pdf 😭
launching Parsel: a fast memory efficient local document parser for PHP.
pdfs, office docs & images → text, structured data, bboxes, screenshots.
built for AI/RAG, NLP, invoices, search, and messy docs.
composer require shipfastlabs/parsel
27
79
508
32,242
Nils Adermann retweeted
Jun 2
confirmed… next week i'll be chatting irl on stream with @naderman, co-creator of composer, about everything the composer team is doing in light of the recent supply chain attacks
2
34
2,616
Nils Adermann retweeted
Jun 2
⛔ Composer policies block flagged malware, but only on 2.10. A CI image running an old Composer version, or a project disabling the policy, still installs flagged versions.
Private Packagist now blocks these at the registry, on any client.
#php #phpc #composerphp
1
12
47
3,054
Nils Adermann retweeted
Jun 1
🛡️ Composer's download fallbacks can silently undermine repository security: A Private Packagist URL blocked for a malware-flagged version falls back to GitHub or a source clone.
Two new Private Packagist options close it off.
#php #phpc #composerphp
1
5
35
3,449
Nils Adermann retweeted
May 29
I realized I was never going to get to adding zizmor to all my repos so I made a claude skill to let it do the grunt work.
You can use it too, if it helps more busy/lazy people to secure their GitHub repos I am glad!
See github.com/Seldaek/zizmorify
May 20
We recommend you change the default permissions for GitHub Actions GITHUB_TOKENs to read-only. Grant elevated permissions only where necessary. Use zizmor to analyze your GitHub Actions: github.com/zizmorcore/zizmor see also: phpunit.expert/articles/hard…
ALT Workflow permissions setting screen in GitHub with "Read repository contents and packages permissions" selected rather than "Read and write permissions"
2
17
2,568
Nils Adermann retweeted
May 28
Composer 2.10 is out.
Native malware filtering via @AikidoSecurity, enabled by default on @Packagist. Plus a unified config.policy framework, deprecated source fallback, and wildcards in --with.
#php #phpc #composerphp
ALT Composer fending off packages, Malware automatically blocked
9
85
334
25,150
Nils Adermann retweeted
May 27
Today we published our Impact and Transparency Report for 2025. We are incredibly grateful for our sponsors, partners, contractors, and individual financial contributors for without them, none of our work would be possible. 💙 🐘thephp.foundation/blog/2026/…
#php #opensource
1
20
53
2,483
Nils Adermann retweeted
May 27
🔒An update on Composer & Packagist supply chain security: what's in place, what ships this week with Composer 2.10 (dependency policies, immutable versions), and what comes next.
If you maintain PHP packages, enable MFA now!
#php #phpc #composerphp
1
52
160
14,946
Nils Adermann retweeted
May 25
introducing laravel moat
as an open source maintainer, recent supply chain attacks in the ecosystem made me want a simple cli to audit the security of my GitHub organizations and repositories
built in Rust. for any open source project on GitHub
24
101
586
79,827
Nils Adermann retweeted
May 24
As an OSS maintainer, my new rule is that anything a frontier model can find with some reasonable effort is a 0-day. Hence why I'm now shipping security releases on public holidays.
5
18
161
16,239