The official Git server of the PHP programming language was hacked by unidentified threat actors and unauthorized updates were pushed in order to insert a secret backdoor into its source code.
The two malicious commits were pushed to the self-hosted “php-src” repository hosted on the git.php.net server, illicitly using the names of Rasmus Lerdorf, the author of the programming language, and Nikita Popov, a software developer at Jetbrains.
The changes were made on March 28. Popov stated that they do not know yet how this has happened exactly, but it all points towards a compromise of the git.php.net server (rather than a compromise of an individual git account.
The changes, which were committed as “Fix Typo” to avoid being detected as a typographical correction, involved provisions for the arbitrary execution of arbitrary PHP code. PHP developer Jake Birchall said that this line executes PHP code from within the useragent HTTP header (“HTTP_USER_AGENTT”), if the string starts with ‘zerodium’.
Besides reverting the changes, the maintainers of PHP are reviewing the repositories for any corruption other than the ones mentioned above. It is not clear if the tampered codebase was downloaded and distributed by other parties before the changes were found and reversed.
Zerodium is a zero-day exploit broker known for acquiring high-impact and high-risk vulnerabilities found in some of the most used software products. Despite references in the backdoor code, there is no evidence to suggest if this was an attempt on the part of the hackers to sell a proof-of-concept (PoC) to the company.
The team behind PHP is making several changes, including migrating the source code repository to GitHub, with changes to be pushed directly to GitHub rather than to git.php.net going forward.
Additionally, contributing to the PHP project will now require developers to be added as a part of the organization on GitHub.
The development comes almost two months after researchers demonstrated a novel supply chain attack called “dependency confusion” which is designed to execute unauthorized code inside a target’s internal software build system.