PHPackages sansec/magento2-module-cosmic-sting-jwt - PHPackages - PHPackages [Skip to content](#main-content)[PHPackages](/)[Directory](/)[Categories](/categories)[Trending](/trending)[Leaderboard](/leaderboard)[Changelog](/changelog)[Analyze](/analyze)[Collections](/collections)[Log in](/login)[Sign up](/register) 1. [Directory](/) 2. / 3. [Authentication & Authorization](/categories/authentication) 4. / 5. sansec/magento2-module-cosmic-sting-jwt ActiveMagento2-module[Authentication & Authorization](/categories/authentication) sansec/magento2-module-cosmic-sting-jwt ======================================= 0.1.0(1y ago)1733.5k↑28.4%2MITPHP Since Jul 15Pushed 1y ago4 watchersCompare [ Source](https://github.com/sansecio/magento2-module-cosmic-sting-jwt)[ Packagist](https://packagist.org/packages/sansec/magento2-module-cosmic-sting-jwt)[ RSS](/packages/sansec-magento2-module-cosmic-sting-jwt/feed)WikiDiscussions main Synced 1mo ago READMEChangelogDependencies (1)Versions (2)Used By (0) Important Notice ================ [](#important-notice) Adobe has released a [hotfix for the isolated patch](https://experienceleague.adobe.com/en/docs/commerce-knowledge-base/kb/troubleshooting/known-issues-patches-attached/security-update-available-for-adobe-commerce-apsb24-40-revised-to-include-isolated-patch-for-cve-2024-34102?lang=en#hotfix) that ensures only the latest encryption key is used for JWTs. If you have applied this hotfix, this module is no longer necessary. Cosmic Sting JWT ================ [](#cosmic-sting-jwt) As [CosmicSting](https://sansec.io/research/cosmicsting-hitting-major-stores) enables attackers to read any file, attackers can steal Magento's secret encryption key. This encryption key can be used to generate JSON Web Tokens with full administrative API access. Adobe offers a solution to change the encryption key, but all it does is *add* an additional key and then attempts to re-encrypt existing secrets with this key. It does nothing to invalidate the old key that is still being referenced in `app/etc/env.php`. This module ensures that JWTs are only ever read using the latest encryption key. It is provided as-is and without any warranty or guarantees. Test extensively and use at own risk. Installation ------------ [](#installation) ``` composer require sansec/magento2-module-cosmic-sting-jwt bin/magento setup:upgrade ``` License ------- [](#license) [MIT License](./LICENSE) - Copyright (c) 2024 Sansec ### Health Score 30 — LowBetter than 64% of packages Maintenance33 Infrequent updates — may be unmaintained Popularity37 Limited adoption so far Community10 Small or concentrated contributor base Maturity30 Early-stage or recently created project Bus Factor1 Top contributor holds 100% of commits — single point of failure How is this calculated?**Maintenance (25%)** — Last commit recency, latest release date, and issue-to-star ratio. Uses a 2-year decay window. **Popularity (30%)** — Total and monthly downloads, GitHub stars, and forks. Logarithmic scaling prevents top-heavy scores. **Community (15%)** — Contributors, dependents, forks, watchers, and maintainers. Measures real ecosystem engagement. **Maturity (30%)** — Project age, version count, PHP version support, and release stability. ### Release Activity Cadence Unknown Total 1 Last Release 672d ago ### Community Maintainers ![](https://avatars.githubusercontent.com/u/743661?v=4)[Daniel Sloof](/maintainers/danslo)[@danslo](https://github.com/danslo) --- Top Contributors [![danslo](https://avatars.githubusercontent.com/u/743661?v=4)](https://github.com/danslo "danslo (10 commits)") ### Embed Badge ![Health badge](/badges/sansec-magento2-module-cosmic-sting-jwt/health.svg) ``` [![Health](https://phpackages.com/badges/sansec-magento2-module-cosmic-sting-jwt/health.svg)](https://phpackages.com/packages/sansec-magento2-module-cosmic-sting-jwt) ``` ### Alternatives [bezhansalleh/filament-shield Filament support for `spatie/laravel-permission`. 2.8k2.9M88](/packages/bezhansalleh-filament-shield)[gesdinet/jwt-refresh-token-bundle Implements a refresh token system over Json Web Tokens in Symfony 70516.4M35](/packages/gesdinet-jwt-refresh-token-bundle)[illuminate/auth The Illuminate Auth package. 9327.3M1.0k](/packages/illuminate-auth)[beatswitch/lock A flexible, driver based Acl package for PHP 5.4+ 870304.7k2](/packages/beatswitch-lock)[amocrm/amocrm-api-library amoCRM API Client 182728.5k6](/packages/amocrm-amocrm-api-library)[vonage/jwt A standalone package for creating JWTs for Vonage APIs 424.1M4](/packages/vonage-jwt) PHPackages © 2026 [Directory](/)[Categories](/categories)[Trending](/trending)[Changelog](/changelog)[Analyze](/analyze)