PHP Internal Git Server Hacked, Backdoor Inserted into Source
-
Looks like the current trend of supply chain attacks has hit PHP.
-
Looks like they will switch over to GitHub as main repo instead of their current https://git.php.net/ because of the security incident.
-
The backdoor was removed before it was compiled into a binary for admins to download so there is no issue for anyone running PHP. However this does prove to be an issues in regards to PHP's safety - They have moved to GitHub (@girish mentions in his reply) and will be better closely monitoring pushes and merges into the code base.
PHP's Own Nikita Popov: "The changes were on the development branch for PHP 8.1, which is due to release at the end of the year" which means the code has not been distributed. It's a big deal but not as big as everyone is making it out to be.
Hopefully this does NOT happen again.
