Two malicious commits were pushed to the php-src repo [1] from the names of Rasmus Lerdorf and Nikita. The team don’t know yet how exactly this happened, but everything points towards a compromise of the git.php.net server (rather than a compromise of an individual git account). While investigation is still underway, they have decided that maintaining their own git infrastructure is an unnecessary security risk, and that they will discontinue the git.php.net server. Instead, the repositories on GitHub, which were previously only mirrors, will become canonical. This means that changes should be pushed directly to GitHub rather than to git.php.net. While previously write access to repositories was handled through our home-grown karma system, you will now need to be part of the php organization on GitHub.
In an attempt to compromise the PHP code base, two malicious commits were pushed to the official PHP Git repository yesterday.
The incident is alarming considering PHP remains the server-side programming language to power 2/3 of the websites on the Internet.
In the malicious commits [1, 2] seen by BleepingComputer, the attackers published a mysterious change upstream, “fix typo” under the pretense this was a minor typographical correction.
