On 28th of March,2021 a big thing in the world of internet, programming or infosec happened. All of us are aware of PHP(Hypertext Preprocessor) which is used in backend of websites and almost 80% websites run on php either core php or wordpress based sites as WordPress CMS itself runs on PHP.

So this time the Official Repository of PHP was under attack and this time attacker was successfull in adding malicious code to the source. The attacker pushed two commits in PHP’s Repo in the name of Nikita Propov ( SDE @jetbrains and open source contributor) and Rasmus Lerdorf (Father of PHP). 

This was confirmed by Nikita Officialy on the PHP internal’s mailing list, She said – “We don’t yet know how

exactly this happened, but everything points towards a compromise of the git.php.net server (rather than a compromise of an individual git account).”

The above statement clearly indicates that the attacker did not had access to an individual account but rather he may had compromised the whole git.php.net server which concludes that this was not the case of social engineering which gave access to the attacker.

The team detected the malicious code was pushed in the repo by observing the HTTP header but this commit was not made into builds so as per team there is no loss or any destruction and all sites are safe but they are still checking for any other malicious commits.

–What Actions were Taken?

PHP Team took very strict actions against this as they introduced a new rule for open source contributors who were able to contribute easily earlier but now they need to become official members of PHP’s Github Repo and System of 2FA was also introduced in order to prevent further such attacks.

–How can You Help?

PHP Cares about Security and takes it seriously so in order to be safe they need helping hands from security researchers to detect any further impact of this attack which means

 The PHP core team is asking you to please contact security@php.net if you notice anything that could be related to this.

Meanwhile, the whole team is now performing security audits at each and every endpoint to detect any further problems caused by the attack.

To know more about it and secure your website kindly contact help@theweborion.com