whisperwow no, the extension shouldn't cause such an issue.
The extension doesn't write any file to disk, only to the Flarum/Wordpress databases. And certainly not elsewhere on the filesystem.
Unless the webserver runs as root even a malicious Flarum or Wordpress extension shouldn't be able to change your SSH settings or your shell user password.
I don't have any experience with cPanel. If I was locked out of a VPS with the password no longer functioning I would boot the VPS with a recovery image to reset it, like DigitalOcean offers. If you are able to change the password but the problem is not resolved, maybe you also configured some sort of public key, IP whitelist or other SSH settings, or a cPanel/server update bricked something?
Maybe cPanel offers a web console that allows you to run Composer commands directly from the browser as an alternative?
If you are able to login but the Composer command shows an error, please share the error message.