The PHP project recently announced that attackers were able to gain access to its main Git server and uploaded two malicious commits, including a backdoor. Luckily, these breaches were discovered before they went into production.
The commits were pushed to the php-src repository, giving attackers a supply-chain opportunity to infect websites. The websites would pick up the malicious code believing it to be legitimate.
Both commits claimed to “fix a typo” in the source code. They were uploaded using the names of PHP’s maintainers. PHP project is not sure how this happened, but believe that it involved a compromise of the git.php.net server, rather than a compromise of an individual git account.
In response to the hack, PHP is moving its servers to GitHub.
PHP is also reviewing all of its repositories for any corruption beyond the two commits that were discovered.
If the malicious commits weren’t detected before reaching production systems, the code could have ultimately poisoned the binary package repositories that many organizations rely upon and trust.
Open-source projects that are self-hosting their code repositories may be at increased risk of this type of supply-chain attack. It is important for these organizations to have processes in place to detect and reject suspicious commits.
Hacks that weaponize the software supply chain are becoming more common.
Just this month, for instance, malicious packages that targeted internal applications for Amazon, Lyft, Slack and Zillow were discovered. These packages targeted the inside of the npm public code repository, all of which exfiltrated sensitive information. The packages weaponized a proof-of-concept (PoC) code dependency-confusion exploit to inject rogue code into developer projects.