The cybercriminals have recently hacked into the official PHP Git repository in order to inject two malicious secret backdoors into the source code and change the codebase.
The threat actors added commits hidden as PHP developers Rasmus Lerdorf and Nikita Popov. The hackers tried to hide their malicious activity and passed off the implemented changes as simple typographical fixes.
In fact, they changed the PHP source code to implement a remotely managed backdoor. The added line 370, where the zend_eval_string function is called, contained the code that actually injected a backdoor to remotely execute code on a website running an infected version of the PHP.
This line executed PHP code from the user’s HTTP header if the line began with ‘zerodium’, explained by Jake Birchall, a PHP developer.
The first commit was discovered a couple of hours after its implementation during a routine code review. And the changes were clearly malicious and were immediately reversed.
However, the security experts at the PHP team is investigating the whole matter closely, and experts state that the malicious change was a hacked git.php.net server, not a hacked individual user’s Git account.
According to the internal reports, the changes affected the development branches for PHP 8.1, which is scheduled for release later this year. So, the developers finally decided to migrate the PHP source code to the repository on GitHub for several security reasons.