GHSA-g3j5-mpp2-2fqm: 
PHP vulnerability analysis and mitigation

A malicious typosquatting package named 'symfont/process' was discovered in September 2021, targeting users of the legitimate 'symfony/process' package. The malware was identified in the Composer package repository Packagist and was designed to exploit developers who might accidentally misspell the package name during installation (Kernelmode Blog, GitHub Advisory).

The malicious package was designed to be automatically loaded upon installation. When executed through a call to 'new Symfony\Process\Process()', the malware would communicate with a command and control server at hxxp://www.yls333[.]com/dev.php, transmitting the contents of the $_SERVER superglobal variable, which includes sensitive server information such as IP, port, and hostname (Kernelmode Blog).

When successfully installed, the malware could expose sensitive server information to attackers and potentially allow remote code execution through a web shell. The malware would activate whenever a Process instance was created in the application, potentially affecting all visitors to the compromised website (Kernelmode Blog).

The malicious package was removed from Packagist.org on September 10th, 2021. To prevent similar attacks, developers should carefully verify package names during installation and implement proper package verification procedures (Kernelmode Blog).