The PHP project on Sunday announced that attackers were able to gain access to its main Git server, uploading two malicious commits, including a backdoor. They were discovered before they went into production.
PHP is a widely used open-source scripting language often used for web development. It can be embedded into HTML. The commits were pushed to the php-src repository, thus offering attackers a supply-chain opportunity to infect websites that pick up the malicious code believing it to be legit.
Both commits claimed to “fix a typo” in the source code. They were uploaded using the names of PHP’s maintainers, Rasmus Lerdorf and Nikita Popov, according to a message sent by Popov to the project’s mailing list on Sunday. He added that he didn’t think it was simple case of credential theft.
“We don’t yet know how exactly this happened, but everything points towards a compromise of the git.php.net server (rather than a compromise of an individual git account),” he explained.
In response to the hack, PHP is moving its servers to GitHub, making them canonical.
“While investigation is still underway, we have decided that maintaining our own git infrastructure is an unnecessary security risk, and that we will discontinue the git.php.net server,” Popov explained. “Instead, the repositories on GitHub, which were previously only mirrors, will become canonical. This means that changes should be pushed directly to GitHub rather than to git.php.net…This change also means that it is now possible to merge pull requests directly from the GitHub web interface.”
He also noted that PHP is reviewing all of its repositories for any corruption beyond the two commits that were found.
“We are lucky that the malicious commits were detected before reaching production systems,” said Craig Young, principal security researcher at Tripwire, via email. “Had it not been detected, the code could have ultimately poisoned the binary package repositories which countless organizations rely upon and trust. Open-source projects which are self-hosting their code repositories may be at increased risk of this type of supply-chain attack and must have robust processes in place to detect and reject suspicious commits.”
Weaponizing the Software Supply Chain
Making use of open-source repositories as a vehicle to compromise websites and applications is not uncommon.
In March, for instance, researchers spotted malicious packages targeting internal applications for Amazon, Lyft, Slack and Zillow (among others) inside the npm public code repository — all of which exfiltrated sensitive information. The packages weaponized a proof-of-concept (PoC) code dependency-confusion exploit that was recently devised by security researcher Alex Birsan to inject rogue code into developer projects.
In January meanwhile, three malicious software packages were published to npm, masquerading as legitimate by using brandjacking. Any applications corrupted by the code could steal tokens and other information from Discord users, researchers said.
And in December, RubyGems, an open-source package repository and manager for the Ruby web programming language, took two of its software packages offline after they were found to be laced with malware.
Check out our free upcoming live webinar events – unique, dynamic discussions with cybersecurity experts and the Threatpost community:
- April 21: Underground Markets: A Tour of the Dark Economy (Learn more and register!)