Is there any mechanise, which can ensure that packages uploaded into packagist.org are free from malicious code. Is anyone looking at source code in installed/uploaded packages.
For example: What if someone upload package which does main function and apart from that send my config file to external server?
When installation of packages is such easy as adding one line into composer.json I am bit worry that above situation can happen.
That's the blessing and curse of open source software. You typically have the entire source code available for inspection. This means it's pretty hard for anybody to include malicious code and have it remain undetected, though it's not a complete insurance against it. Gauge the vibe around the package, how many people are using it, what comments or tickets in the issue tracker say.
It comes down to: don't use software you don't trust. Trust it by evaluating it yourself or by trusting the community to have done so.
