Packagist disclosed that a flaw in Composer caused GitHub Actions tokens to leak into publicly visible CI logs after GitHub began rolling out a new token format containing a hyphen in late April 2026. Composer's token validation rejected the new-format tokens and printed the full credential value into Actions error logs, exposing GITHUB_TOKEN values in workflows that used common helpers such as shivammathur/setup-php to register tokens into Composer's global auth config. GitHub has rolled back the new token format, but already-leaked tokens remain a risk and another rollout is expected in the coming weeks. Patches are available in Composer 2.9.8, 2.2.28 LTS, and 1.10.28, which remove the rejected token from error output and relax the validation regex. Packagist urges teams to update immediately and audit recent Actions logs for exposed credentials; Packagist.org and Private Packagist were not themselves affected.
// Alert
GitHub threat report
// GitHubHIGH
// Get alerts for GitHub