The official PHP Git repository was breached in the most recent software supply chain assault, and the code base was modified.

Yesterday, two malicious commits were uploaded to the PHP team’s git.php.net server, which hosts the php-src Git repository.
Threat actors had verified these contributions as though Rasmus Lerdorf and Nikita Popov, two well-known PHP developers and maintainers, had created them.

PHP Git server has an RCE backdoor installed.

Yesterday, two malicious contributions were uploaded to the official PHP Git repository in an effort to corrupt the PHP code base.
The event is concerning since 79% of websites on the Internet still use PHP as their server-side programming language.

The attackers released a mystery update upstream called “repair typo” in the malicious commits [1, 2] that BleepingComputer saw under the guise of a little typographical patch.

Looking closer at the newly added line 370, where the zend eval string function is used, reveals that the code in fact creates a backdoor for quickly achieving Remote Code Execution (RCE) on a website using this hacked version of PHP.

Developer Jake Birchall for PHP responded to Michael Voek, who had discovered the error originally, with the explanation, “This line runs PHP code from within the useragent HTTP header, if the string starts with ‘zerodium’.”

Nikita Popov, a PHP maintainer, explained the following to us through email:

“During a regular post-commit code review a few hours after the initial commit, it was discovered. The modifications were immediately undone since they were blatantly malicious “According to Popov, BleepingComputer.

The malicious commit was also done under Rasmus Lerdorf’s identity, the person who created PHP.

But that should come as no surprise because with source code version control systems like Git, it is feasible to sign off a change locally under a different identity [1, 2] and then upload the spoof commit to the remote Git server, where it seems to have been signed off by the person listed on it.

According to PHP maintainers, this malicious behaviour originated from the hacked git.php.net server rather than from the breach of an individual’s Git account, despite the fact that a thorough investigation of the situation is still continuing.

The official PHP codebase has been moved to GitHub.

Following this event, the PHP maintainers have chosen to move the official PHP source code repository to GitHub as a precaution.

We’ve made the decision to stop running the git.php.net server even though our investigation is still ongoing since we believe that keeping our own git infrastructure is an unnecessary security risk.

Popov stated that the GitHub repositories, which were previously merely mirrors, “would become canonical.”

After this modification, Popov demands that any future code updates be uploaded directly to GitHub rather than the git.php.net site.

Anyone who wants to contribute to the PHP project must now join the PHP organisation on GitHub.

The same security alert includes advice for doing that.

You would need to have two-factor authentication (2FA) set on your GitHub account in order to join the organisation.

Beyond the two commits that were mentioned, “We’re investigating the repositories for any corruption,” says Popov.

In order to learn the full scope of this attack and if any code was transmitted downstream before the fraudulent changes were discovered, BleepingComputer contacted Popov and the PHP security team.

Although it could have been cloned or forked in the interim, no tags or release artefacts reflect the changes.

Popov added to BleepingComputer, “The modifications were in the development branch for PHP 8.1, which is scheduled for release at the end of the year.

The PHP team has confirmed to BleepingComputer that they want to decommission their git server ultimately and switch to GitHub permanently in the coming days.