PHP’s git server gets compromised by another Supply Chain Attack

April 9, 2021
php git server compromised supply chain attack

Another instance of a supply chain attack has been reported; this time, it’s on the Git repository of PHP and their data storage. The hacked repository and the codebase contents were tampered with. The incident’s investigation is ongoing and more details will be revealed in the upcoming days.

On the initial reports, the malicious activity had originated from a server that has been compromised. The hackers was able to compromise the codebase after pushing two malicious commits to a Git repository maintained by the PHP team.

  • The threat actors have tampered with the commits to spoof the access of system known devs and members.
  • One of the commits is under Ramsus Lerdorf, PHP creator, and the other one is under Nikita Popov, one of the PHP maintainer.


More details on the attack on the PHP server

The discovery of the first tampered commit happened during a routine post-commit code review which is a couple of hours when it was created. The discovered changes were tagged as malicious and were immediately rolled back.

  • On the malicious commits, attackers were able to successfully establish an upstream exchange with the comment “fix typo” as a pretence on minor typographical errors
  • This, however, added lines where the “zend_eval_string” function gets called. This was planted for a backdoor remote code execution attack on a website that runs this compromised version of PHP
  • As a result, the PHP team have confirmed that they are now planning to decommission the said git server


This incident is just one of the other reported supply-chain attacks that happened over the past few weeks. Other victims are SITA, an aviation IT company giant, which reported a severe data breach from a highly sophisticated supply chain attack. Last month, more supply chain attacks that abuse the dependency confusion bug were discovered to target Microsoft, Amazon, Zillow and other giant corporations globally.

Attacks like these are highlighted today in the cybersecurity community and the need for a robust security system to monitor all the updates on a source code rigorously. More importantly, this points out the risks involved when using open source tools, software, and technologies that cyber-attackers can utilise to launch a devastating supply chain attack.

About the author

Leave a Reply