PHP suffers supply-chain attack


The maintainers of the popular PHP: HyperText PreProcessor scripting language have moved their code repository from a self-hosted git instance to Microsoft-owned Github, after a security scare that saw malicious commits pushed to the php-src source tree.

Two new commits that contained a backdoor were discovered on May 28, and removed after approximately two hours, PHP maintainer Nikita Popov said.

The commits were pushed using Popov’s and PHP founder Rasmus Lerdorf’s names.

Popov said the commits may be the result of the server being compromised, rather than his or Lerdorf’s individual accounts being hacked.

It is not clear who committed the malicious code, which would activate if an HTTP header with the string “zerodium” is sent.

Zerodium buys software vulnerabilities to deploy exploits.

The security scare means PHP will no longer host its own git instance, and will shift all code repositories to Github.

“While investigation is still underway, we have decided that maintaining our own git infrastructure is an unnecessary security risk, and that we will discontinue the server. Instead, the repositories on GitHub, which were previously only mirrors, will become canonical,” Popov wrote.

Other PHP developers suggested that cryptographic signing of commits be required as well, to ensure their authenticity.

Signing is currently optional, but Lerdorf said he’s open to the idea of making it a requirement for the main php-source repository.

PHP maintainers are reviewing other repositories to see if they, too, have been affected by malicious code commits.

Supply-chain attacks such as the one suffered by PHP have become more common recently, with the repercussions of the SolarWinds hack that targeted American government agencies and technology companies still being felt.

Earlier this week, security vendor Palo Alto Networks posted research on malicious images found in the Docker Hub repository.

Aviv Sasson of PAN’s Unit 42 group found 30 images on Docker Hub from 10 different accounts, which contained miners for the Monero, Arionum and Grin cryptocurrencies.

The malicious images had been pulled over 20 million times, and earned the cryptojackers an estimated US$200,000 as they executed on unwitting users’ machines.

Sasson said his findings mean that it is reasonable to assume that there are many other undiscovered malicious images on Docker Hub, and other public container registries.

Leave a Reply