The official PHP git repository, http://git.php.net/, was compromised this Sunday, March 28.
An attacker was able to modify the PHP source code twice and inject a backdoor into it. Thankfully, both attempts were quickly detected and removed by the PHP team.
Per a statement released in PHP’s internal mailing list, the current investigation believes the git.php.net server itself has been compromised rather than the individual’s account.
Everything points towards a compromise of the git.php.net server.
To prevent this from reoccurring, the official git repository will switch from their own git.php.net to the mirror on github.
While investigation is still underway, we have decided that maintaining our own git infrastructure is an unnecessary security risk, and that we will discontinue the git.php.net server.
Are you safe?
Yes. While the PHP repository itself may have been exploited, the backdoor left by the attacker was found before its malicious code reached a PHP release, meaning no released versions of PHP included this backdoor.
The PHP team is currently reviewing the repositories to ensure that no other modifications were made by the attacker, but nothing has been found up to now.
Sign up to our newsletter to be notified of website security notes.
Marc-Alexandre Montpas
Ben Martin
Alycia Mitchell
David Dede
Nathan Chaddock