Unidentified actors hacked the official Git server of PHP programming language and pushed unauthorized updates to insert a secret backdoor into the source code. The actors used the names of Rasmus Lerdorf, the author of the programming language, and Nikita Popov, a software developer at Jetbrains. The changes are committed as Fix Typo, with an expectation to slip through undetected as a typographical correction.
Secret backdoor
Nikita Popov published a post about the attacks and stated that the investigation is still underway. He also stated that they have decided that maintaining their own git infrastructure is an unnecessary security risk thus they will discontinue the git.php.net server.
Instead of git.php.net, the repositories on GitHub will become canonical, which means changes should be pushed directly to GitHub. He also said that they don’t yet know how exactly this happened, but the most likely possibility is the compromise of the git.php.net server. Nikita Popov also said,
“While previously write access to repositories was handled through our home-grown karma system, you will now need to be part of the PHP organization on GitHub. If you are not part of the organization yet, or don’t have access to a repository you should have access to, contact me at [email protected] with your php.net and GitHub account names, as well as the permissions you’re currently missing. Membership in the organization requires 2FA to be enabled.”