[German]There seems to have been a successful supply chain attack on the official Git server of the PHP project. The attackers managed to upload an unauthorized update to insert a secret backdoor into the source code.
Advertising
I've just been informed about this on Twitter – which colleagues at The Hacker News have disclosed in this article. Nikita Popov from the project made the whole thing public in a post:
The attack, according to the following announcement, probably happened yesterday, Sunday, March 28, 2021, but stood out. Two malicious commits were published to the php-src repo [1] under the names of Rasmus Lerdorf and Nikita Popov.
Hi everyone, Yesterday (2021-03-28) two malicious commits were pushed to the php-src repo [1] from the names of Rasmus Lerdorf and myself. We don't yet know how exactly this happened, but everything points towards a compromise of the git.php.net server (rather than a compromise of an individual git account). While investigation is still underway, we have decided that maintaining our own git infrastructure is an unnecessary security risk, and that we will discontinue the git.php.net server. Instead, the repositories on GitHub, which were previously only mirrors, will become canonical. This means that changes should be pushed directly to GitHub rather than to git.php.net. While previously write access to repositories was handled through our home-grown karma system, you will now need to be part of the php organization on GitHub. If you are not part of the organization yet, or don't have access to a repository you should have access to, contact me at nikic@php.net with your php.net and GitHub account names, as well as the permissions you're currently missing. Membership in the organization requires 2FA to be enabled. This change also means that it is now possible to merge pull requests directly from the GitHub web interface. We're reviewing the repositories for any corruption beyond the two referenced commits. Please contact security@php.net if you notice anything. Regards, Nikita [1]: https://github.com/php/php-src/commit/c730aa26bd52829a49f2ad284b181b7e82a68d7d and https://github.com/php/php-src/commit/2b0f239b211c7544ebc7a4cd2c977a5b7a11ed8a
Nikita Popov writes that the operators do not yet know how exactly this happened. But everything points to a compromise of the
git.php.net server (and not a compromise of a single Git account). Currently, the forensic investigation is probably still going on to find the vulnerability, and determine what all has been compromised.
The developers have now decided that maintaining their own Git infrastructure is an unnecessary security risk. Therefore, the git.php.net server will be discontinued. Instead, the repositories on GitHub, which previously only functioned as mirrors, are to become canonical. This means that changes should be pushed directly to GitHub and not to git.php.net. Developers contributing to PHP will need to take this into account for commits. Users of PHP who pulled source code yesterday should check to see if the files listed above were downloaded with it. The Hacker News has some more details about the compromised source code files in this article.
Advertising
