Lyra traced the access logs. The attacker hadn’t just found the file—they’d used it. POST requests to eval-stdin.php with base64-encoded payloads. System reconnaissance. Database dumps. A reverse shell that had been sleeping inside their cloud environment for eleven days.

Lyra stared at the terminal. The breach alert had blinked twice, then gone silent—not fixed, but hidden . That was worse.

If you're still encountering issues, consider providing more details about your project setup (PHP version, PHPUnit version, etc.) and the exact error message you're seeing. This would help in giving a more specific solution.

Nevertheless, a compromised composer.json that allows arbitrary test execution could potentially abuse this script. This is why security best practices mandate keeping vendor/bin/phpunit out of production.

She had tried to fix it. She had pushed the change. But the deployment script ignored vendor exclusions, and PHPUnit was a dev dependency that somehow lingered in the production image like a curse.

Connect

index of vendor phpunit phpunit src util php evalstdinphp better

Out On Screen is more than just a film festival! We do year-round programming, engage youth throughout the province and play a role in a vibrant arts ecology. Connect with us to hear more about our work.

SIGN UP TO OUR MAILING LIST

201-211 E Georgia St.

Vancouver, BC

V6A 1Z6 Canada

604.844.1615

info@outonscreen.com

604.844.1615 x410

boxoffice@outonscreen.com

Out On Screen operates on the unceded territories of the xʷməθkʷəy̓əm (Musqueam), Sḵwx̱wú7mesh (Squamish), and səlilwətaɬ (Tsleil-Waututh) Nations.

Support

Out On Screen does our work for and with 2SLGBTQIA+ communities. Our community of supporters believe in creating a world in which all sexual and gender diversity thrives. Join our work today.

Charitable number: 890743792 RR 0001

Website design by Co-Effect Creative

© 2025 Out On Screen