warningRisk: Secrets

Scanned:

PHP

Artifact:

latest

All-in-One PHP support - IntelliSense, Debug, Formatter, Code Lenses, Code Fixes, Linting, Refactoring, PHPUnit Tests, Web Server, and more.

License: unknown

Published:

Publisher: DEVSENSE

Visit GitHub

See on Visual Studio Code

SAFE Assessment

Compliance

Licenses

No license compliance issues

Secrets

1 web service credentials found

Security

Vulnerabilities

No known vulnerabilities detected

Hardening

1 low priority mitigations absent

Threats

Tampering

No evidence of software tampering

Malware

No evidence of malware inclusion

INCIDENTS FOR THIS VERSION:

Popularity

6.38M

Total Installs

Contributor

Declared Dependencies

Dependents

Top issues

See all issues

Problem

Uniform Resource Locators (URLs) are structured addresses that point to locations and assets on the internet. URLs allow software developers to build complex applications that exchange data with servers that can be hosted in multiple geographical regions. URLs can commonly be found embedded in documentation, configuration files, source code and compiled binaries. One or more embedded URLs were discovered to link to raw files hosted on GitHub. Attackers often abuse popular web services to host malicious payloads. Since code-sharing services URLs are typically allowed by security solutions, using them for payload delivery increases the odds that the malicious code will reach the user. While the presence of code-sharing service locations does not imply malicious intent, all of their uses in a software package should be documented and approved. An increasing number of software supply chain attacks in the open source space leverages the GitHub service to deliver malicious payloads.

Prevalence in Visual Studio Code community

79 packages

found in

Top 100

622 packages

found in

Top 1k

4233 packages

found in

Top 10k

29.36k packages

in community

Next steps

Investigate reported detections.

If the software should not include these network references, investigate your build and release environment for software supply chain compromise.

You should delay the software release until the investigation is completed, or until the issue is risk accepted.

Consider an alternative delivery mechanism for software packages.

Problem

Various network communication protocols allow including plaintext authentication credentials. Information such as user names and passwords could be passed through a non-encrypted channel, and therefore intercepted by malicious actors. Credentials are considered secrets, and should be kept encrypted until they are used. This policy control matches the following URI pattern protocol://username:password@domain within any software package component.

Prevalence in Visual Studio Code community

14 packages

found in

Top 100

112 packages

found in

Top 1k

273 packages

found in

Top 10k

1.71k packages

in community

Next steps

Review the reported matches. If the warning refers to a placeholder credential value, it can be safely ignored.

Problem

Software components contain executable code that performs actions implemented during its development. These actions are called behaviors. In the analysis report, behaviors are presented as human-readable descriptions that best match the underlying code intent. While most behaviors are benign on their own, some might become important for analysis when observed alongside other capabilities the component exhibits. This issue is reported for files that can enumerate user information and make HTTP requests. While presence of this behavior combination does not imply malicious intent, it is advised that the reported files are reviewed. One example of acceptable use for this type of data collection is the opt-in telemetry for software debugging purposes.

Prevalence in Visual Studio Code community

28 packages

found in

Top 100

137 packages

found in

Top 1k

348 packages

found in

Top 10k

1.67k packages

in community

Next steps

Investigate reported detections as indicators of software tampering.

Consult Mitre ATT&CK documentation: T1033 - System Owner/User Discovery.

Consider limiting the collection of user information to a minimum.

Problem

Uniform Resource Locators (URLs) are structured addresses that point to locations and assets on the internet. URLs allow software developers to build complex applications that exchange data with servers that can be hosted in multiple geographical regions. URLs can commonly be found embedded in documentation, configuration files, source code and compiled binaries. URL paths provide additional information to a web service when making a request. They are an optional, but an important part of the URL, as they may define specific content or actions based on the data being passed. Some parameters they pass might be considered sensitive information. Since path components are not encrypted this might cause sensitive information to leak. This issue is raised for URL paths than might contain information that attackers can easily intercept. Examples of sensitive information fields include passwords and other similar parameters.

Prevalence in Visual Studio Code community

39 packages

found in

Top 100

249 packages

found in

Top 1k

1056 packages

found in

Top 10k

5.32k packages

in community

Next steps

Investigate reported detections.

If the software should not include these network references, investigate your build and release environment for software supply chain compromise.

You should delay the software release until the investigation is completed, or until the issue is risk accepted.

Consider removing all references to flagged network locations.

Problem

Control Flow Guard (CFG/CFI) protects the code flow integrity by ensuring that indirect calls are made only to vetted functions. This mitigation protects dynamically resolved function targets by instrumenting the code responsible for transferring execution control. Higher-level programming languages implement structured exception handling by managing their own code flow execution paths. As such, they are subject to code flow hijacking during runtime. Language-specific exception handling mitigation enforces execution integrity by instrumenting calls to manage execution context switching. Any deviation from the known and trusted code flow paths will cause the application to terminate. This makes malicious code less likely to execute.

Prevalence in Visual Studio Code community

47 packages

found in

Top 100

286 packages

found in

Top 1k

912 packages

found in

Top 10k

4.37k packages

in community

Next steps

It's highly recommended to enable this option for all software components used at security boundaries, or those that process user controlled inputs.

To enable this mitigation, refer to your programming language toolchain documentation.

In Microsoft VisualStudio, you can enable CFG mitigation by passing the /guard:cf parameter to the compiler and linker.

Top behaviors

See all behaviors

Prevalence in Visual Studio Code community

Behavior often found in this community (Common)

26 packages

found in

Top 100

136 packages

found in

Top 1k

330 packages

found in

Top 10k

1.5k packages

in community

Prevalence in Visual Studio Code community

Behavior uncommon for this community (Uncommon)

12 packages

found in

Top 100

39 packages

found in

Top 1k

68 packages

found in

Top 10k

491 packages

in community

Prevalence in Visual Studio Code community

Behavior uncommon for this community (Uncommon)

7 packages

found in

Top 100

27 packages

found in

Top 1k

71 packages

found in

Top 10k

225 packages

in community

Prevalence in Visual Studio Code community

Behavior often found in this community (Common)

67 packages

found in

Top 100

547 packages

found in

Top 1k

2891 packages

found in

Top 10k

14.99k packages

in community

Prevalence in Visual Studio Code community

Behavior often found in this community (Common)

31 packages

found in

Top 100

159 packages

found in

Top 1k

346 packages

found in

Top 10k

1.56k packages

in community

Top vulnerabilities

No vulnerabilities found.

FAQ for PHP

What is PHP?

All-in-One PHP support - IntelliSense, Debug, Formatter, Code Lenses, Code Fixes, Linting, Refactoring, PHPUnit Tests, Web Server, and more. For more information about this package, visit its homepage.

Is PHP malicious or is it safe to use?

The VS Code package PHP was scanned for malware, software tampering, risky behaviors, exposed secrets and known vulnerabilities. The package contains risks, and the analysis results should be reviewed before it is downloaded and used. Visit the Issues and Behaviors sections of the analysis for more details.

Is PHP popular?

The VS Code package PHP ranks among the top 1000 projects in this community. It has 6M recorded downloads. A package's popularity is not a good indicator of its safety, visit the SAFE Assessment section to see the full analysis of package deployment risk categories.

How do I secure PHP once it is in my app?

Since we can't know when or where malicious attacks will happen, we recommend tracking how PHP behaviors change over multiple software releases. By adopting differential analysis in your release process, you can detect unexpected changes to a PHP version, which can prevent advanced software supply chain attacks. Read how our technology can help prevent future attacks similar to SolarWinds and 3CX.

Did you know...

... that you can use ReversingLabs’ Spectra Assure platform to perform regular risk assessments of packages you develop in-house?

We recommend continuous software safeness monitoring through CI/CD integrations and pre-release/deployment checks. In addition to basic package information found on this page our platform offers rich reports for developers and DevSecOps that help them remediate all reported issues.

This website uses cookies to ensure the best website experience. By continuing to use this website you are giving your consent to cookies being used. Detailed information about our use of cookies is here.

Popularity

6.38M

Total Installs

Contributor

Declared Dependencies

Dependents

Top issues

See all issues

Problem

Prevalence in Visual Studio Code community

79 packages

found in

Top 100

622 packages

found in

Top 1k

4233 packages

found in

Top 10k

29.36k packages

in community

Next steps

Investigate reported detections.

If the software should not include these network references, investigate your build and release environment for software supply chain compromise.

You should delay the software release until the investigation is completed, or until the issue is risk accepted.

Consider an alternative delivery mechanism for software packages.

Problem

Prevalence in Visual Studio Code community

14 packages

found in

Top 100

112 packages

found in

Top 1k

273 packages

found in

Top 10k

1.71k packages

in community

Next steps

Review the reported matches. If the warning refers to a placeholder credential value, it can be safely ignored.

Problem

Prevalence in Visual Studio Code community

28 packages

found in

Top 100

137 packages

found in

Top 1k

348 packages

found in

Top 10k

1.67k packages

in community

Next steps

Investigate reported detections as indicators of software tampering.

Consult Mitre ATT&CK documentation: T1033 - System Owner/User Discovery.

Consider limiting the collection of user information to a minimum.

Problem

Uniform Resource Locators (URLs) are structured addresses that point to locations and assets on the internet. URLs allow software developers to build complex applications that exchange data with servers that can be hosted in multiple geographical regions. URLs can commonly be found embedded in documentation, configuration files, source code and compiled binaries. URL paths provide additional information to a web service when making a request. They are an optional, but an important part of the URL, as they may define specific content or actions based on the data being passed. Some parameters they pass might be considered sensitive information. Since path components are not encrypted this might cause sensitive information to leak. This issue is raised for URL paths than might contain information that attackers can easily intercept. Examples of sensitive information fields include passwords and other similar parameters.

Prevalence in Visual Studio Code community

39 packages

found in

Top 100

249 packages

found in

Top 1k

1056 packages

found in

Top 10k

5.32k packages

in community

Next steps

Investigate reported detections.

If the software should not include these network references, investigate your build and release environment for software supply chain compromise.

You should delay the software release until the investigation is completed, or until the issue is risk accepted.

Consider removing all references to flagged network locations.

Problem

Prevalence in Visual Studio Code community

47 packages

found in

Top 100

286 packages

found in

Top 1k

912 packages

found in

Top 10k

4.37k packages

in community

Next steps

It's highly recommended to enable this option for all software components used at security boundaries, or those that process user controlled inputs.

To enable this mitigation, refer to your programming language toolchain documentation.

In Microsoft VisualStudio, you can enable CFG mitigation by passing the /guard:cf parameter to the compiler and linker.

Top behaviors

See all behaviors

Prevalence in Visual Studio Code community

Behavior often found in this community (Common)

26 packages

found in

Top 100

136 packages

found in

Top 1k

330 packages

found in

Top 10k

1.5k packages

in community

Prevalence in Visual Studio Code community

Behavior uncommon for this community (Uncommon)

12 packages

found in

Top 100

39 packages

found in

Top 1k

68 packages

found in

Top 10k

491 packages

in community

Prevalence in Visual Studio Code community

Behavior uncommon for this community (Uncommon)

7 packages

found in

Top 100

27 packages

found in

Top 1k

71 packages

found in

Top 10k

225 packages

in community

Prevalence in Visual Studio Code community

Behavior often found in this community (Common)

67 packages

found in

Top 100

547 packages

found in

Top 1k

2891 packages

found in

Top 10k

14.99k packages

in community

Prevalence in Visual Studio Code community

Behavior often found in this community (Common)

31 packages

found in

Top 100

159 packages

found in

Top 1k

346 packages

found in

Top 10k

1.56k packages

in community

Top vulnerabilities

No vulnerabilities found.

PHP

SAFE Assessment

Compliance

Security

Threats

IMPORTANT: This package had 30 removal incidents in versions published within 2 years prior to the latestLatest version with removal incident detected: over 1 year agoVersion: 1.52.16273

INCIDENTS FOR THIS VERSION:

Popularity

Top issues

TH17127Detected presence of files containing URLs that link to raw files on GitHub.hunting

Problem

Prevalence in Visual Studio Code community

Next steps

SQ34302Detected presence of plaintext credentials within network protocol strings.Causes risk: web service credentials foundsecrets

Problem

Prevalence in Visual Studio Code community

Next steps

TH16106Detected presence of files that collect and exfiltrate user information.hunting

Problem

Prevalence in Visual Studio Code community

Next steps

TH17119Detected presence of files containing URLs with suspicious path components.hunting

Problem

Prevalence in Visual Studio Code community

Next steps

SQ14127Detected Windows executable files that do not implement long jump control flow vulnerability mitigation protection.Causes risk: low priority mitigations absenthardening

Problem

Prevalence in Visual Studio Code community

Next steps

Top behaviors

Retrieves the name of the user associated with the process.search

Prevalence in Visual Studio Code community

Requests permission to open other processes.permissions

Prevalence in Visual Studio Code community

Requests permission required to perform a number of security-related functions, such as controlling and viewing audit messages.permissions

Prevalence in Visual Studio Code community

Modifies file/directory permissions.permissions

Prevalence in Visual Studio Code community

Deletes files in Windows system directories.file

Prevalence in Visual Studio Code community

Top vulnerabilities

FAQ for PHP

What is PHP?

Is PHP malicious or is it safe to use?

Is PHP popular?

How do I secure PHP once it is in my app?

Did you know...

Popularity

Top issues

TH17127Detected presence of files containing URLs that link to raw files on GitHub.hunting

Problem

Prevalence in Visual Studio Code community

Next steps

SQ34302Detected presence of plaintext credentials within network protocol strings.Causes risk: web service credentials foundsecrets

Problem

Prevalence in Visual Studio Code community

Next steps

TH16106Detected presence of files that collect and exfiltrate user information.hunting

Problem

Prevalence in Visual Studio Code community

Next steps

TH17119Detected presence of files containing URLs with suspicious path components.hunting

Problem

Prevalence in Visual Studio Code community

Next steps

SQ14127Detected Windows executable files that do not implement long jump control flow vulnerability mitigation protection.Causes risk: low priority mitigations absenthardening

Problem

Prevalence in Visual Studio Code community

Next steps

Top behaviors

Retrieves the name of the user associated with the process.search

Prevalence in Visual Studio Code community

Requests permission to open other processes.permissions

Prevalence in Visual Studio Code community

Requests permission required to perform a number of security-related functions, such as controlling and viewing audit messages.permissions

Prevalence in Visual Studio Code community

Modifies file/directory permissions.permissions

Prevalence in Visual Studio Code community

Deletes files in Windows system directories.file

Prevalence in Visual Studio Code community