Security News > 2021 > March > Backdoor Disguised as Typo Fix Added to PHP Source Code
The developers of the PHP scripting language revealed on Sunday that they had identified what appeared to be malicious code in the php-src repository hosted on the git.
The unauthorized code was disguised as two typo fix-related commits apparently pushed by Rasmus Lerdorf, author of the PHP language, and Nikita Popov, an important PHP contributor.
The code seems to allow an attacker to remotely execute arbitrary PHP code.
The investigation into this incident is ongoing, but the backdoor was discovered quickly and it apparently did not make it into a PHP update made available to users.
Interestingly, the malicious code is triggered by the string "Zerodium." Zerodium is the name of a well-known and controversial exploit acquisition company that claims to provide exploits to "Government organizations in need of advanced zero-day exploits and cybersecurity capabilities."
The commit added to the PHP code also contains the text "REMOVETHIS: sold to zerodium, mid 2017.".