Cybercriminals hacked into the official PHP Git repository in order to inject two malicious commits and change the codebase.
The attackers added commits disguised as PHP developers Rasmus Lerdorf and Nikita Popov. The hackers tried to hide their malicious activity and passed off the implemented changes as simple typographical fixes. In fact, they changed the PHP source code to implement a remotely managed backdoor.
The added line 370, where the zend_eval_string function is called, contained the code that actually injected a backdoor to remotely execute code on a website running an infected version of PHP.
“This line executed PHP code from the user's HTTP header if the line began with 'zerodium',” PHP developer Jake Birchall explained to Michael Voříšek, who first pointed out the anomaly.
According to Popov, the first commit was discovered a couple of hours after its implementation during a routine code review. The changes were clearly malicious and were immediately reversed.
Investigation into the incident is ongoing, and experts say the malicious change was a hacked git.php.net server, not a hacked individual user's Git account. The changes affected the development branches for PHP 8.1, which is scheduled for release later this year.
The developers also decided to move the PHP source code to the repository on GitHub for security reasons