Backdoor planted in PHP Git repository after server hack

An unknown actor compromised the official PHP Git repository last night (March 28), pushing backdoored code under the guise of a minor edit.

The malicious attacker pushed two commits to the php-src repo for the popular scripting language that contained a backdoor allowing for remote code execution (RCE), maintainers revealed.

PHP is thought to underpin almost 80% of websites, according to a study by Web Technology Surveys. This includes all WordPress sites, which are built on PHP.

It is so far unknown who the perpetrator was or how they were able to publish the commits, since they were uploaded under legitimate maintainers’ names.

However, it is known that the malicious actor pushed the changes under an upstream named ‘fix typo’, apparently trying to cover their tracks by claiming they were making minor changes to the code.


Digging deeper, the code actually planted a backdoor that opened the door for the remote takeover of any website that uses PHP.

Maintainer Nikita Popov wrote in a statement that they believe attackers found a way in through compromise of the git.php.net server rather than any individual account.

The team behind PHP has discontinued the git.php.net server and the repositories on GitHub, which were previously only mirrors, will become canonical, they said.

This means that changes should be pushed directly to GitHub rather than to git.php.net.

Maintainers are now reviewing the repositories for any signs of further compromise.

Mistaken identity

The malicious code includes reference to ‘Zerodium’, a US company known for buying zero-day exploits.

This has sparked conversation online as the cybersecurity community scrambles to determine who is behind the attack.

Twitter user @LiveOverflow suggested that the mention could be a joke, tweeting: “What’s your guess regarding the “Zerodium” reference? Just a joke? Or maybe talking about the root bug that lead [SIC] to the repo compromise?”


Zerodium CEO Chaouki Bekrar shut down rumors that it was involved, instead pointing to the real attackers as being “trolls”.

They wrote: “Cheers to the troll who put ‘Zerodium’ in today’s PHP git compromised commits. Obviously, we have nothing to do with this.

“Likely, the researcher(s) who found this bug/exploit tried to sell it to many entities but none wanted to buy this crap, so they burned it for fun.”

An investigation is still underway with no confirmed reports pointing to the identity of the attacker.

The Daily Swig has reached out to Popov for comment and will update this article accordingly.

Related posts

Leave a Comment