Backdoor In PHP Source Code Discovered

Unidentified attackers recently hacked the PHP Git server to inject the source code with a backdoor. While PHP maintainers reverted the modifications, investigations continue on assessing the supply chain attacks.

PHP Git Server Hacked

Reportedly, on March 28, 2021, some criminal hackers hacked the PHP Git server and pushed malicious commits to amend PHP code. The attackers specifically aimed at injecting backdoor to PHP source code.

While the investigations are in progress, it presently seems that the attackers didn’t compromise any individual accounts. Rather they hacked the git.php.net server. The attackers then pushed the malicious commits to the php-src repo impersonating them as signed by PHP developers Rasmus Lerdorf and Nikita Popov.

While the developers quickly thwarted the attack and reverted the malicious changes, they realized the underlying security risk. Consequently, they have decided to move to GitHub. Sharing the details, Popov stated,

We have decided that maintaining our own git infrastructure is an unnecessary security risk, and that we will discontinue the git.php.net server. Instead, the repositories on GitHub, which were previously only mirrors, will become canonical. This means that changes should be pushed directly to GitHub rather than to git.php.net.

What Next?

In the wake of the shift to GitHub, the team has asked all the users to request access to the repository by contacting the developers.

While previously write access to repositories was handled through our home-grown karma system, you will now need to be part of the php organization on GitHub.

Users can write to them with their php.net and GitHub account names, and the permissions they need. Moreover, users also have to enable two-factor authentication on their accounts to join the PHP organization on GitHub.

For now, Popov confirmed the reviewing of the repositories for any potential malicious changes aside from the two identified commits.

Let us know your thoughts in the comments.

Related posts

Water Facilities Must Secure Exposed HMIs – Warns CISA

Microsoft December Patch Tuesday Arrived With 70+ Bug Fixes

NachoVPN Attack Risks Corporate VPN Clients