The PHP development team, a well-known programming language, recently issued an announcement stating that hackers submitted malicious code through the PHP’s Git server in an attempt to launch a supply chain attack.
It is not yet clear how the hacker completed the attack, but the development team believes that the independently maintained git.php.net server may be the source of the problem.
Therefore, based on security considerations, the development team decided to give up maintaining its own independent server, and then the source code and updates of the entire project were migrated to the Github platform.
The preliminary investigation report shows that the attacker initially submitted two changes to the project, and the submitter was a well-known PHP developer.
Shortly after the initial submission, the attacker submitted the changes again. This malicious submission was submitted in the name of another well-known PHP developer, so it was confusing.
Although it is not submitted by a real team developer, it is easy to be misidentified. This may also be the reason for the relevant malicious submission and successfully merged into the PHP project code.
Fortunately, the team developers found related malicious submissions when inspecting the source code and immediately deleted the source code, so this supply chain attack was unsuccessful for the hackers.
If no malicious code is found and merged into the main thread, it may cause serious security threats to millions of PHP-based websites around the world.
How the hackers took down the PHP server is not yet clear, but preliminary investigation results suggest that the attack may be related to some flaws in the server.
Therefore, based on security considerations, PHP no longer maintains its own update server. Next, the development team will migrate the entire project to the Github platform for hosting.
At that time, unofficial developers can also submit feedback and improvements through the Github platform, which will also help improve the transparency of project changes and improve security.
In addition, the development team also emphasized that the malicious code submission will not affect users, because the malicious code has not been packaged into a release version so no one will update it.