Security News
Attackers tried to insert backdoor into PHP source codeThe PHP development team has averted an attempted supply chain compromise that could have opened a backdoor into many web servers. The growing threat to CI/CD pipelinesBy hardening CI/CD pipelines and addressing security early in the development process, developers can deliver software faster and more securely.
Why Apple had to rush out a security update for iDevices. Two cryptographic security holes patched in OpenSSL. How PHP nearly got backdoored by crooks.
Open source web programming language PHP narrowly avoided a potentially dangerous supply chain attack over the weekend. In theory, anyone who downloaded the very latest "Still in development" version of PHP on Sunday 2021-03-28, compiled it, and installed it on a real-life, internet facing web server could have been at risk.
Malicious commits were made to the php-src repo on Sunday that could have enabled hackers to perform remote code execution on websites running the hijacked code. The main Git repository for the PHP programming language has been moved to GitHub after hackers tried to insert a backdoor into the source code.
The PHP project on Sunday announced that attackers were able to gain access to its main Git server, uploading two malicious commits, including a backdoor. "Had it not been detected, the code could have ultimately poisoned the binary package repositories which countless organizations rely upon and trust. Open-source projects which are self-hosting their code repositories may be at increased risk of this type of supply-chain attack and must have robust processes in place to detect and reject suspicious commits."
The developers of the PHP scripting language revealed on Sunday that they had identified what appeared to be malicious code in the php-src repository hosted on the git. The unauthorized code was disguised as two typo fix-related commits apparently pushed by Rasmus Lerdorf, author of the PHP language, and Nikita Popov, an important PHP contributor.
The main code repository for PHP, which powers nearly 80 per cent of the internet, was breached to add malicious code and is now being moved to GitHub as a precaution. "Yesterday two malicious commits were pushed to the php-src repo from the names of Rasmus Lerdorf and myself. We don't yet know how exactly this happened, but everything points towards a compromise of the git.php.net server," said PHP maintainer Nikita Popov, who works with the PHP team at JetBrains.
The PHP development team has averted an attempted supply chain compromise that could have opened a backdoor into many web servers. Php.net server," developer Nikita Popov explained in a message sent out through one of the project's mailing lists.
In the latest software supply chain attack, the official PHP Git repository was hacked and the code base tampered with. Yesterday, two malicious commits were pushed to the php-src Git repository maintained by the PHP team on their git.
In yet another instance of a software supply chain attack, unidentified actors hacked the official Git server of the PHP programming language and pushed unauthorized updates to insert a secret backdoor into its source code. The changes, which were committed as "Fix Typo" in an attempt to slip through undetected as a typographical correction, involved provisions for execution of arbitrary PHP code.