PHP is an open-source scripting language web developers embed in HTML to manage dynamic content, databases, and other everyday tasks. The PHP project maintains its repositories on its own git infrastructure. Over the weekend, someone pushed malicious commits that may have allowed hackers to attack websites that use the PHP repositories.
Over the weekend, attackers uploaded two malware payloads to the PHP git server, one would have created a backdoor to PHP-enabled websites. Both were found and reverted before going into production. The two commits were pushed to the php-src repository on Sunday under the user names of PHP maintainers Nikita Popov (nikic) and Rasmus Lerdorf (rlerdorf).
The descriptions said they were corrections to “fix typos.” Popov immediately issued a statement saying he and Lerdorf are unsure how the attackers uploaded the malicious code under their names but think someone with push access compromised the server.
“Yesterday (2021-03-28) two malicious commits were pushed to the php-src repo from the names of Rasmus Lerdorf and myself,” Popov wrote. “We don’t yet know how exactly this happened, but everything points towards a compromise of the git.php.net server (rather than a compromise of an individual git account).”
As a result of the attack, they decided that maintaining the project on their own git server is “an unnecessary security risk.” The project’s GitHub repositories, which were previously just mirrors, will now become canonical, and the git.php.net server will be shut down. Contributors to the project must join the PHP organization on GitHub to push commits.
Popov notes that as an added precaution, they are reviewing all repositories for any other possible “corruptions” and asks that if anyone else sees anything suspicious, to let him know.