No Comments

Cybercriminals invade PHP’s Git server and insert backdoor into source code


The official PHP repository hosted on a Git server, was hacked by cybercriminals, who made two modifications to the technology’s source code, inserting a backdoor, disguised as a typography correction, on Sunday (03/28). Another case of attack on the supply chain, but in this case, an open source solution, very popular in the market.

The changes were falsely signed by Rasmus Lerdorf and Nikita Popov, two developers known for maintaining and updating the technology. In a statement, Popov explains that they still do not know how the changes were made, but believes that it was a compromise of the server, hosted on Git and not their credentials on GitHub.

Popov's statement, published on Sunday (03/28) on the official PHP website.
Popov’s statement, published on Sunday (03/28) on the official PHP website.

“Two commits malicious files were uploaded to the php-src repository signed by Rasmus Lerdorf and me. We still don’t know how
exactly that happened
, but everything points to a compromise from the server (instead of a compromise from an individual git account)“, writes Popov on the official website of the technology.

One of the changes disguised as source correction, made by cybercriminals.
One of the alterations disguised as source correction, made by cybercriminals.

You commits, as the code changes on the platform are called were made in the source code of the PHP 8.1 developer version, which is still in development and should be released as a stable version by the end of this year.

Therefore, only PHP developers, or companies that use PHP massively, may have downloaded the modified update. Nonetheless, PHP is a very popular language on servers and companies that handle large amounts of data, like Facebook, for example.

In an interview with Bleeping Computer, Popov explains that the modifications were discovered hours after being submitted, during a routine code review process and immediately corrected.

“The first commit was found a few hours after it was done, as part of the routine post-commit code review. The changes were obviously malicious and reversed immediately“Popov told BleepingComputer.

Forged signatures on Git

In a post on the Dev website, Alex Grinman, founder of, explains how to make a signed commit by anyone else. According to him, legitimate commits show a green label, which represents verified users. Any commit without this tag could have been done by anyone.

Green label representing verified users. Photo: Alex Grinman, via Dev.
Green label representing verified users. Photo: Alex Grinman, via Dev.

“Anyone can define the“ author ”of a Git commit to any value. To prove that you are the author of a commit, you must attach a digital signature to it. The only way for anyone to know that it is actually your commit is to verify the signature of the commit “, writes Grinman.

Popov explains that, for security reasons, the repository with the official PHP source code will be completely migrated to GitHub and the Git repository will be permanently canceled.

“While the investigation is still ongoing, we decided that maintaining our own Git infrastructure is an unnecessary security risk and that we will be discontinuing the server … Instead, the repositories on GitHub, which used to be just mirrors, will become canonical”Announced Popov.

Thus, any changes to the PHP code will be sent directly to GitHub, instead of going to a Git server, in this case That is, to collaborate voluntarily with the project, it is necessary to be added to the developer base on GitHub and this must be done by the developers themselves.

Sources: Bleeping Computer; PHP; Dev.

See the original post at:

You might also like

More Similar Posts

Leave a Reply

Your email address will not be published. Required fields are marked *

Fill out this field
Fill out this field
Please enter a valid email address.