Hackers broke into the internal code repository of the PHP programming language and tried to backdoor the source code in a brazen attempt to hack the internet’s supply chain.
PHP is used to program the servers behind almost 80 percent of websites on the internet, which means that this attack, if it had gone undetected, could have given the hackers the ability to take control of thousands of sites.
The hackers uploaded two pieces of malicious code as part of a commit to the PHP code base using the names of two core PHP developers, Rasmus Lerdorf and Nikita Popov, the developer who disclosed the breach.
“We don’t yet know how exactly this happened, but everything points towards a compromise of the git.php.net server (rather than a compromise of an individual git account),” Popov wrote.
Popov also announced that the PHP project would now move to Github rather than use its own internal code repository.
“We have decided that maintaining our own git infrastructure is an unnecessary security risk,” he added in the breach announcement.
Do you have information on this data breach or other data breaches? We’d love to hear from you. You can contact Lorenzo Franceschi-Bicchierai securely on Signal at +1 917 257 1382, OTR chat at firstname.lastname@example.org, or email email@example.com
“Running your own stuff in 2021 is hard,” he wrote.
The malicious code mentioned Zerodium, a notorious broker of zero-days. It’s unclear why the hackers included the company’s name in the malicious code, but according to Zerodium’s founder and CEO, this was just a joke.
“Cheers to the troll who put ‘Zerodium’ in today’s PHP git compromised commits. Obviously, we have nothing to do with this,” Chaouki Bekrar wrote on Twitter. “Likely, the researcher(s) who found this bug/exploit tried to sell it to many entities but none wanted to buy this crap, so they burned it for fun.”
Popov wrote that the investigation into this breach “is still underway” and that developers are checking that the hackers didn’t make any other malicious changes.
Motherboard reached out to Popov asking for comment, and we will update this story when he gets back to us.
Subscribe to our cybersecurity podcast CYBER, here.
This post has been read 14 times!