PHP Announces Compromise of Main Git Server; Malware Uploaded
The PHP project announced this week that attackers were able to gain access to its main Git server, uploading two malicious commits, including a backdoor. Thankfully, the two commits were discovered before they were able to go into production.
PHP is a widely used open-source scripting language often used for web development. It can be embedded into HTML. The commits were pushed to the php-src repository, thus offering attackers a supply-chain opportunity to infect websites that pick up the malicious code believing it to be legit.
Both commits claimed to “fix a typo” in the source code. They were uploaded using the names of PHP’s maintainers, Rasmus Lerdorf and Nikita Popov, according to a message sent by Popov to the project’s mailing list on Sunday. He added that he did not think it was simple case of credential theft.
In response to the hack, PHP is moving its servers to GitHub, making them canonical. They are also reviewing all its repositories for any corruption beyond the two commits that were found.