PHP git server hacked with backdoor implanted.

Supply chain attacks are on the rise last months. This time, criminals implanted a backdoor on the official PHP git server that pushes unauthorized updates to add a secret backdoor into its source-code.

In detail, the malicious commits were added to the self-hosted “php-src” repository hosted on the server, using the name of “Rasmus Lerdord” – the author of the PHP and also Nikita Popov – a software developer from Jetbrains.

The changes are said to have been made yesterday on March 28.

“We don’t yet know how exactly this happened, but everything points towards a compromise of the server (rather than a compromise of an individual git account),” Popov said in an announcement.



The commit, which were committed as “Fix Typo” in an attempt to slip through undetected as a typographical correction, involved provisions for execution of arbitrary PHP code.

“This line executes PHP code from within the useragent HTTP header (“HTTP_USER_AGENTT”), if the string starts with ‘zerodium’,” PHP developer Jake Birchall said.


Although the changes were reverted now, it’s not clear so far if the tampered source was downloaded and distributed by other parties before the fix.

By examining Darknet forums and niches of this nature, there are no backdoors or entry-points being sold related to this supply chain attack.


Deixe um comentário

O seu endereço de email não será publicado. Campos obrigatórios marcados com *