Had the incident gone unnoticed, the attackers could have taken over websites using the tainted code

Unknown attackers compromised the official PHP Git server and planted a backdoor in the source code of the programming language, potentially putting websites using the tainted code at risk of complete takeover.

The bad actor pushed two malicious commits to the php-src repository – one in the name of PHP creator Rasmus Lerdorf himself and the other disguised as being signed off by Nikita Popov, a well-known PHP developer and maintainer. The first commit was allegedly fixing a minor typo in the code, whereas the second commit claimed to revert the fix.

“We don’t yet know how exactly this happened, but everything points towards a compromise of the git.php.net server (rather than a compromise of an individual git account),” Popov said in an announcement about the compromise, which was spotted on Sunday.

Speaking to BleepingComputer, Popov said that they noticed the first commit during a routine post-commit code review, and the changes to the code were reverted immediately – in time before it could have been pushed into production environments. The open-source server-side language is commonly used in web development.

The code change was first noticed by contributors Markus Staab, Michael Voříšek, and Jake Birchall. Voříšek became suspicious about the code change and asked about its function, to which Birchall responded that the “line executes PHP code from within the useragent HTTP header, if the string starts with ‘zerodium’.”

Indeed, it seems that the attackers wanted to implicate Zerodium, a company that bills itself as “the leading exploit acquisition platform for premium zero-days”. However, per its CEO, the zero-day broker had nothing to do with the incident.

Following the breach, the PHP team decided to transition from its own Git infrastructure to mitigate the risks. “While investigation is still underway, we have decided that maintaining our own git infrastructure is an unnecessary security risk, and that we will discontinue the git.php.net server. Instead, the repositories on GitHub, which were previously only mirrors, will become canonical. This means that changes should be pushed directly to GitHub rather than to git.php.net,” Popov said.

The PHP team is now pushing for added security. While previously developers who wanted to contribute needed to use the organization’s “home-grown” karma system, they’ll now need to become members of PHP’s GitHub repo and have two-factor authentication enabled.

In the meantime, PHP is performing a security audit of its repositories to check for any further signs of compromise or malicious code beyond the two commits.