Once a web shell is uploaded, the attacker has a "backdoor" into your server, allowing them to steal data, delete files, or use your server to launch attacks on others. Why is it showing up as an "Index of"?
If your vendor folder is visible this way, it’s a double failure: index of vendor phpunit phpunit src util php evalstdinphp
Have you checked your recently to ensure directory listing is disabled across all sensitive folders? Once a web shell is uploaded, the attacker
If you are running PHPUnit in a production environment, PHPUnit is a development tool and has no place on a live production server. Once a web shell is uploaded