In the latest software supply chain attack, the official PHP Git repository was compromised and the code base tampered with. The changes are said to have been made yesterday on March 28.
Two malicious commits were pushed to the php-src repo from the names of Rasmus Lerdorf and Nikita Popov. For your information, Rasmus Lerdorf is the creator of the PHP. Nikita Popov is Software developer at Jetbrains.
However, as bad as that sounds, the hackers also left a giant red flag for the PHP development team. Rather an act as warning regarding the vulnerability rather than as a direct exploit.
The PHP development team released an official statement confirming the source code breach on Sunday, March 28.
While investigation is still underway, we have decided that maintaining our own git infrastructure is an unnecessary security risk, and that we will discontinue the git.php.net server. Instead, the repositories on GitHub, which were previously only mirrors, will become canonical. This means that changes should be pushed directly to GitHub rather than to git.php.net.
The backdoor, which hasn’t made its way into production, would have allowed an attacker to execute code on any vulnerable PHP server.
As a result of the breach, the PHP development team will change how it manages access to its Git server. They making its GitHub repositories the de facto code base for the project. Currently it is just a mirror.
After the switch, those requiring access to the PHP repositories will have to contact the development team directly to make a request.