In still a different occasion of a application supply chain attack, the official PHP GitHub repository was tampered with to insert unauthorized updates.
The two malicious commits had been pushed to the “php-src” repository hosted on the git.php.web server, illicitly using the names of Rasmus Lerdorf, the writer of the programming language, and Nikita Popov, a computer software developer at Jetbrains.
The improvements are claimed to have been created yesterday on March 28.
“We never nonetheless know how precisely this happened, but every little thing details towards a compromise of the git.php.internet server (fairly than a compromise of an particular person git account,” Popov stated in an announcement.
The changes, which were fully commited as “Resolve Typo” in an endeavor to slip by undetected as a typographical correction, involved provisions for the arbitrary execution of arbitrary PHP code. “This line executes PHP code from inside of the useragent HTTP header, if the string starts off with ‘zerodium’,” PHP developer Jake Birchall said.
Other than reverting the variations, the maintainers of PHP are mentioned to be examining the repositories for any corruption beyond the aforementioned two commits. Additionally, contributing to the PHP venture will now have to have builders to be extra as a component of the group on GitHub.
It is really not instantly distinct if the tampered codebase was downloaded and dispersed by other events in advance of the changes were spotted and reversed.
We have reached out to the maintainers of PHP for much more comments, and we will update the tale if we hear again.