UPDATE, April 8, 10:21 p.m. ET: Popov wrote in a mailing list message on April 6 that him and his colleagues now believe the hackers may have compromised the PHP user database, rather that the server used to develop PHP’s code.
“We no longer believe the git.php.net server has been compromised. However, it is possible that the master.php.net user database leaked,” Popov wrote.
Videos by VICE
The original story follows below.
Hackers broke into the internal code repository of the PHP programming language and tried to backdoor the source code in a brazen attempt to hack the internet’s supply chain.
PHP is used to program the servers behind almost 80 percent of websites on the internet, which means that this attack, if it had gone undetected, could have given the hackers the ability to take control of thousands of sites.
One of the PHP core developers disclosed the breach on the programming language’s official mailing list on Sunday night, and the news was first reported by Bleeping Computer.
The hackers uploaded two pieces of malicious code as part of a commit to the PHP code base using the names of two core PHP developers, Rasmus Lerdorf and Nikita Popov, the developer who disclosed the breach.
“We don’t yet know how exactly this happened, but everything points towards a compromise of the git.php.net server (rather than a compromise of an individual git account),” Popov wrote.
Popov also announced that the PHP project would now move to Github rather than use its own internal code repository.
“We have decided that maintaining our own git infrastructure is an unnecessary security risk,” he added in the breach announcement.
Do you have information on this data breach or other data breaches? We’d love to hear from you. You can contact Lorenzo Franceschi-Bicchierai securely on Signal at +1 917 257 1382, OTR chat at lorenzofb@jabber.ccc.de, or email lorenzofb@vice.com
As cybersecurity expert Martijn Grooten pointed out on Twitter, this may be one of the key takeaways from this failed supply chain attack.
“Running your own stuff in 2021 is hard,” he wrote.
The malicious code mentioned Zerodium, a notorious broker of zero-days. It’s unclear why the hackers included the company’s name in the malicious code, but according to Zerodium’s founder and CEO, this was just a joke.
“Cheers to the troll who put ‘Zerodium’ in today’s PHP git compromised commits. Obviously, we have nothing to do with this,” Chaouki Bekrar wrote on Twitter. “Likely, the researcher(s) who found this bug/exploit tried to sell it to many entities but none wanted to buy this crap, so they burned it for fun.”
Popov wrote that the investigation into this breach “is still underway” and that developers are checking that the hackers didn’t make any other malicious changes.
Motherboard reached out to Popov asking for comment, and we will update this story when he gets back to us.
Subscribe to our cybersecurity podcast CYBER, here.