Skip to main content

Attackers Sought to Compromise PHP Source Code

by Chris Brook on Monday March 29, 2021

Contact Us
Free Demo

Two malicious commits over the weekend have forced the group in charge of PHP to discontinue its internal Git server.

An unknown hacker on Sunday added a backdoor to the code repository for PHP, the popular open source server-side scripting language.

Nikita Popov, a PHP developer and maintainer, said Sunday that two commits were made to the php-src repository, one in his name and another in Rasmus Lerdorf's - who helped PHP get off the ground in 1995 - name.

To make the commits, Popov believes the attacker compromised PHP's main Git server, which is self-hosted, not a user account.

“We don't yet know how exactly this happened, but everything points towards a compromise of the server (rather than a compromise of an individual git account),” Popov said in an email disclosing the news to the PHP mailing list on Sunday night.

As compromises sometimes do, the incident sounds like it prompted a change from within. Because of the malicious commits, Popov says the project will move away from its git server and instead amend its repositories on GitHub so they're canonical.

Previously the repositories were mirrors. Going forward changes will be pushed directly to GitHub, instead of surfacing on Also going forward, write access to repositories will be done through GitHub too; admins will have to have two factor authentication enabled, something which should add an additional level of protection.

The malicious commits are still viewable on GitHub and can be seen here and here.

While a line in one of the malicious updates to the code says "REMOVETHIS: sold to zerodium, mid 2017," Chaouki Bekrar, Zerodium's CEO, insists the mention is just trolling and that likely whoever found the exploit "burned it for fun."

While it's unclear how the attack took place, it's not a huge surprise that the commits showed up under Popov and Ledorf’s names; it is possible using source code version control systems like Git to commit changes under the names of people other than yourselves.

A PHP developer Jake Birchall, was one of the first to acknowledge on GitHub that the change could result in the execution of PHP code.

"This line executes PHP code from within the useragent HTTP header, if the string starts with 'zerodium'," Birchall told Michael Voříšek on GitHub Sunday night.

It's worth noting there was never any immediate danger to users because of the commits; they were found following a code review and reverted soon after.

Still, PHP is one of the most popular server-side programming languages; its behind 79.1% of websites across the internet, according to W3Techs, a service that aggregates information on website technology. That means that anything that could jeopardize the language, including a seemingly stealthy supply chain compromise like this one, if left unchecked, could have an impact on the rest of the internet.

Tags:  hacks

Recommended Resources

The Definitive Guide to Data Loss Prevention
The Definitive Guide to Data Loss Prevention

All the essential information you need about DLP in one eBook.

6 Cybersecurity Thought Leaders on Data Protection
6 Cybersecurity Thought Leaders on Data Protection

Expert views on the challenges of today & tomorrow.

Digital Guardian Technical Overview
Digital Guardian Technical Overview

The details on our platform architecture, how it works, and your deployment options.