Package managers are critical infrastructure—and prime targets for supply chain attacks. This talk examines recent security incidents across npm, PyPI, and other ecosystems to understand what threats apply to Composer and Packagist.

We'll explore emerging security standards including SLSA, trusted publishing, build provenance attestations, and reproducible builds. You'll learn how GitHub Actions has become an attack vector, what organizations like OpenSSF and its Package Repository Working Group are doing, which improvements other language packaging ecosystems recently introduced and how two new projects funded by Germany's Sovereign Tech Agency will improve security for the PHP ecosystem.

Whether you maintain packages or just run composer install, you'll gain practical insights into supply chain security threats and the tools being built to address them.