Supply Chain Attackscritical

PHP Git Backdoor: Attackers Push Malicious Commits to PHP's Official Source

Two malicious commits were pushed directly to PHP's official git.php.net repository under the names of well-known PHP core developers, attempting to insert a backdoor in the language itself — affecting every PHP server on the internet.

PHP / php.net·2021·2 min read

Background

PHP is the server-side scripting language running approximately 77% of all websites. Changes to PHP's source code are distributed to web servers through package managers and OS repositories. A backdoor in PHP's source would affect hundreds of millions of servers.

The Attack

On March 28, 2021, two commits appeared in the PHP git repository's master branch attributed to Rasmus Lerdorf (PHP's creator) and Nikita Popov (a core developer). The commits claimed to fix a "typo" but inserted code that executed arbitrary PHP code when the HTTP User-Agent header contained a specific prefix. Neither Rasmus nor Nikita had made the commits — the attackers had pushed directly to the php.net git server using compromised credentials or a server vulnerability. The backdoor, if shipped in a PHP release, would allow any attacker who knew the trigger string to execute arbitrary code on any server running the malicious PHP version.

Response

The PHP team identified the malicious commits within hours after Nikita Popov noticed a commit attributed to him that he had not made. The team reverted the commits, announced the incident, and migrated PHP's primary repository from the self-hosted git.php.net to GitHub, where stronger access controls and audit logging are available.

Outcome

The backdoor was caught before being included in any PHP release and never shipped to users. However, the incident demonstrated that even the source repository for one of the world's most widely deployed languages can be compromised. The migration to GitHub with enforced signed commits was a significant improvement.

Key Takeaways

  1. Source code repositories for widely deployed software must use signed commits and require multi-party approval for merges
  2. Self-hosted git servers for critical open source projects are harder to secure than managed platforms with enforced 2FA
  3. Core developer credentials for language source repositories are among the highest-value targets in the software supply chain
  4. Rapid review of commits to master branches of critical projects can catch malicious changes before release
PHPgit backdoorsource codemalicious commitopen source

More in Supply Chain Attacks

2020critical

SolarWinds Supply Chain Attack

2 min readSupply Chain Attacks
2017critical

CCleaner Backdoor: 2.27 Million Downloads Infected via Legitimate Software Update

2 min readSupply Chain Attacks
2018high

EventStream npm: Malicious Code Buried in Dependency Targets Bitcoin Wallet

2 min readSupply Chain Attacks