The PHP project on Sunday announced that attackers were able to gain access to its main Git server, uploading two malicious commits, including a backdoor. They were discovered before they went into production.
PHP is a widely used open-source scripting language often used for web development. It can be embedded into HTML. The commits were pushed to the php-src repository, thus offering attackers a supply-chain opportunity to infect websites that pick up the malicious code believing it to be legit.
Both commits claimed to “fix a typo” in the source code. They were uploaded using the names of PHP’s maintainers, Rasmus Lerdorf and Nikita Popov, according to a message sent by Popov to the project’s mailing list on Sunday. He added that he didn’t think it was simple case of credential theft.