The Laravel-Lang supply chain attack ran silently at autoload time and stole SSH keys, AWS tokens, and .env files from developer machines - not databases. Wrote up what actually happened and the composer workflow I changed after it (composer audit, jack raise-to-installed, exact version pinning).
dev.to/tegos/composer-update-is-not-safe-anymore-2bcf
