An unknown hacker on Sunday added a backdoor to the code repository for PHP, the popular open source server-side scripting language.

Nikita Popov, a PHP developer and maintainer, said Sunday that two commits were made to the php-src repository, one in his name and another in Rasmus Lerdorf's - who helped PHP get off the ground in 1995 - name.

To make the commits, Popov believes the attacker compromised PHP's main Git server, which is self-hosted, not a user account.

“We don't yet know how exactly this happened, but everything points towards a compromise of the git.php.net server (rather than a compromise of an individual git account),” Popov said in an email disclosing the news to the PHP mailing list on Sunday night.

As compromises sometimes do, the incident sounds like it prompted a change from within. Because of the malicious commits, Popov says the project will move away from its git server and instead amend its repositories on GitHub so they're canonical.

Previously the repositories were mirrors. Going forward changes will be pushed directly to GitHub, instead of surfacing on git.php.net. Also going forward, write access to repositories will be done through GitHub too; admins will have to have two factor authentication enabled, something which should add an additional level of protection.

The malicious commits are still viewable on GitHub and can be seen here and here.

While a line in one of the malicious updates to the code says "REMOVETHIS: sold to zerodium, mid 2017," Chaouki Bekrar, Zerodium's CEO, insists the mention is just trolling and that likely whoever found the exploit "burned it for fun."

Cheers to the troll who put "Zerodium" in today's PHP git compromised commits. Obviously, we have nothing to do with this.

Likely, the researcher(s) who found this bug/exploit tried to sell it to many entities but none wanted to buy this crap, so they burned it for fun

— Chaouki Bekrar (@cBekrar) March 29, 2021

While it's unclear how the attack took place, it's not a huge surprise that the commits showed up under Popov and Ledorf’s names; it is possible using source code version control systems like Git to commit changes under the names of people other than yourselves.

A PHP developer Jake Birchall, was one of the first to acknowledge on GitHub that the change could result in the execution of PHP code.

"This line executes PHP code from within the useragent HTTP header, if the string starts with 'zerodium'," Birchall told Michael Voříšek on GitHub Sunday night.

It's worth noting there was never any immediate danger to users because of the commits; they were found following a code review and reverted soon after.

Still, PHP is one of the most popular server-side programming languages; its behind 79.1% of websites across the internet, according to W3Techs, a service that aggregates information on website technology. That means that anything that could jeopardize the language, including a seemingly stealthy supply chain compromise like this one, if left unchecked, could have an impact on the rest of the internet.