Critical Composer Flaws Let Malicious Repositories Run Commands on Developers