“[On Sunday, March 28] two malicious commits were pushed to the php-src repo from the names of Rasmus Lerdorf and myself. We don’t yet know how exactly this happened, but everything points towards a compromise of the git.php.net server (rather than a compromise of an individual git account),” developer Nikita Popov explained in a message sent out through one of the project’s mailing lists.
The unidentified attackers disguised the proposed changes as attempts to fix a typo, but their true nature was luckily recognized by the developers before making it into production.
Had they succeeded, the attackers would have been able to use the backdoor to execute malicious PHP code on targeted servers.
The PHP development team is still investigating and reviewing the repositories for any corruption beyond those two commits but, in the meantime, they also decided to stop using their own git infrastructure and make the GitHub repositories canonical.
“This means that changes should be pushed directly to GitHub rather than to git.php.net. This change also means that it is now possible to merge pull requests directly from the GitHub web interface,” Popov added, and urged contributors to get in touch if they are not yet part of the php organization on GitHub or don’t have access to a repository they should have access to.