Cybercriminals hacked into the official PHP Git repository in order to push two malicious commits and change the codebase.

The threat actors added commits using the names of PHP developers Rasmus Lerdorf and Nikita Popov. The hackers tried to hide their malicious activity and published the implemented changes as simple typographical correction. In fact, they changed the PHP source code to insert a remotely managed backdoor.

The added line 370, where the zend_eval_string function is called, contained the code that actually planted a backdoor for remote code execution on a website running an infected version of PHP.

Investigation of the incident is ongoing, and according to experts, the malicious activity stemmed from the compromised git.php.net server, rather than compromise of an individual's Git account. The changes affected the development branch for PHP 8.1, which is due to release at the end of the year.

The developers also decided to move the PHP source code to the repository on GitHub for security purposes.

Source: securitylab.ru