“[On Sunday, March 28] two malicious commits were pushed to the php-src repo from the names of Rasmus Lerdorf and myself. We don’t yet know how exactly this happened, but everything points towards a compromise of the git.php.net server (rather than a compromise of an individual git account),” developer Nikita Popov explained in a message sent out through one of the project’s mailing lists.
The unidentified attackers disguised the proposed changes as attempts to fix a typo, but their true nature was luckily recognized by the developers before making it into production.
Had they succeeded, the attackers would have been able to use the backdoor to execute malicious PHP code on targeted servers.
The PHP development team is still investigating and reviewing the repositories for any corruption beyond those two commits but, in the meantime, they also decided to stop using their own git infrastructure and make the GitHub repositories canonical.
“This means that changes should be pushed directly to GitHub rather than to git.php.net. This change also means that it is now possible to merge pull requests directly from the GitHub web interface,” Popov added, and urged contributors to get in touch if they are not yet part of the php organization on GitHub or don’t have access to a repository they should have access to.
UPDATE (April 7, 2021, 05:10 a.m. PT):
Popov has shared an update on the incident and said that they no longer believe the git.php.net server has been compromised, but that it is possible that the master.php.net user database leaked.
Some things about the incident are still unclear but, in the meantime, the PHP team has reset all php.net passwords and is asking users to set a new one for their account.