In the latest instance of software supply chain attack, PHP’s Git repository has been hacked and the codebase was tampered with. The investigation about this incident is ongoing and more details can be revealed in the upcoming days.

What has happened?

The malicious activity originated from the compromised git[.]php[.]net server, instead of an individual Git account compromise. To compromise the PHP codebase, two malicious commits were pushed to a Git repository maintained by the PHP team.
  • The attackers had signed off on these commits, in a way that seems to spoof known PHP developers and maintainers.
  • One of the commits was made in the name of Rasmus Lerdorf (PHP creator) and the other one as Nikita Popov (PHP maintainer).

Additional details

The first commit was discovered as a routine post-commit code review, a couple of hours after it was created. The changes were malicious and reverted immediately.
  • In those malicious commits, the attackers had published a mysterious change upstream, with comment fix typo as a pretense of a minor typographical correction.
  • However, in all added lines where the zend_eval_string function is called, the code planted a backdoor for Remote Code Execution on a website running this hijacked version of PHP.
  • The PHP team has now confirmed the planning of decommissioning the git server (git[.]php[.]net).

Recent supply chain attacks

This incident is not the only supply chain attack that happened in the past few weeks, there have been others, as well.
  • SITA, the aviation IT giant, experienced a serious data breach in a highly sophisticated supply chain attack.
  • Last month, a supply chain attack was discovered to be targeting Microsoft, Amazon, Zillow, and others by abusing the dependency confusion bug.


Supply chain attacks like these are continuously highlighting the need for a robust security ecosystem that would rigorously monitor all the updates made to the source code. Moreover, this points out the risks involved with open-source tools and technologies that may be used by attackers for launching devastating supply chain attacks.

Cyware Publisher