The official PHP Git repository suffered a software supply chain attack this week. Two malicious commits were pushed to the repository, where the attackers sign the commits with falsified but plausible aliases. An RCE backdoor was uploaded, which executes a backdoor in the HTTP protocol’s user agent header field. According to the PHP maintainers, the investigation is still ongoing and the PHP source code is moved to the official repository on GitHub.
The first commit was found at least 2 hours after it was made, and the changes were reverted. In addition, it is confirmed that WordPress sites remain unaffected by these vulnerabilities as the commits were caught in time.
No remedial activity is needed for the individual reader’s website, as PHP is an open-source language. As a result, it is difficult to implement access controls without restricting access to its source code.
However, this is another stark reminder about supply chain attacks. This is not the first instance of a malicious commit and it will not be the last.
Source: Bleeping Computer