Hackers try to bug PHP programming language in supply chain cautionary tale

Unidentified hackers have tried to plant malicious code in PHP, a programming language used in an estimated 79% of websites.

The developers who maintain PHP said Sunday that the attackers likely broke in through a PHP server, and made two “commits,” or attempted changes to the PHP source code. It’s but one example of the supply-chain vulnerabilities inherent in the basic building blocks of popular websites.

“While investigation is still underway, we have decided that maintaining our own git infrastructure is an unnecessary security risk, and that we will discontinue the git.php.net server,” Nikita Popov, a software developer who helps maintain PHP, said in a statement. Popov said PHP would move its code repositories to GitHub, an open-source platform for software developers.     

Popov did not immediately respond to a request for comment, but told Bleeping Computer that PHP’s maintainers had caught the malicious code before it was introduced publicly to websites.

Had the code propagated, the attackers could have had the ability to tamper with numerous websites. PHP was built into 79% of websites surveyed by consultancy W3Tech, including the sites for Facebook and Zoom. PHP vulnerabilities tend to be disclosed with an urgent appeal for users to update their software because of the programming language’s wide use.

The incident underscores why software development hubs are attractive targets for supply-chain compromises: Users trust code delivered from legitimate sources.

GitHub, which reportedly has tens of millions of users, had its own code-tampering problem last year. Hackers managed to use GitHub to spread malicious code to 26 different coding projects on the platform before investigators removed the malware.