Hackers try to bug PHP programming language in supply chain cautionary tale

79% of websites use PHP, according to one estimate.

Unidentified hackers have tried to plant malicious code in PHP, a programming language used in an estimated 79% of websites.

The developers who maintain PHP said Sunday that the attackers likely broke in through a PHP server, and made two “commits,” or attempted changes to the PHP source code. It’s but one example of the supply-chain vulnerabilities inherent in the basic building blocks of popular websites.

“While investigation is still underway, we have decided that maintaining our own git infrastructure is an unnecessary security risk, and that we will discontinue the server,” Nikita Popov, a software developer who helps maintain PHP, said in a statement. Popov said PHP would move its code repositories to GitHub, an open-source platform for software developers.     

Popov did not immediately respond to a request for comment, but told Bleeping Computer that PHP’s maintainers had caught the malicious code before it was introduced publicly to websites.


Had the code propagated, the attackers could have had the ability to tamper with numerous websites. PHP was built into 79% of websites surveyed by consultancy W3Tech, including the sites for Facebook and Zoom. PHP vulnerabilities tend to be disclosed with an urgent appeal for users to update their software because of the programming language’s wide use.

The incident underscores why software development hubs are attractive targets for supply-chain compromises: Users trust code delivered from legitimate sources.

GitHub, which reportedly has tens of millions of users, had its own code-tampering problem last year. Hackers managed to use GitHub to spread malicious code to 26 different coding projects on the platform before investigators removed the malware.

Sean Lyngaas

Written by Sean Lyngaas

Sean Lyngaas is CyberScoop’s Senior Reporter covering the Department of Homeland Security and Congress. He was previously a freelance journalist in West Africa, where he covered everything from a presidential election in Ghana to military mutinies in Ivory Coast for The New York Times. Lyngaas’ reporting also has appeared in The Washington Post, The Economist and the BBC, among other outlets. His investigation of cybersecurity issues in the nuclear sector, backed by a grant from the Pulitzer Center on Crisis Reporting, won plaudits from industrial security experts. He was previously a reporter with Federal Computer Week and, before that, with Smart Grid Today. Sean earned a B.A. in public policy from Duke University and an M.A. in International Relations from The Fletcher School of Law and Diplomacy at Tufts University.

Latest Podcasts