Summary
On March 28, 2021, attackers compromised PHP's self-hosted Git server at git.php.net and pushed two malicious commits directly to the php-src master branch, the canonical source for the PHP interpreter used by a large share of the web. The first commit was disguised as a minor typo fix and the second as a revert, with the author and committer fields forged to impersonate PHP creator Rasmus Lerdorf and core maintainer Nikita Popov, exploiting the fact that Git lets anyone locally set arbitrary commit authorship. The injected code added a backdoor in the request-handling path that inspected the incoming User-Agentt header and, if its value began with the string zerodium, passed the remainder to zend_eval_string to execute attacker-supplied PHP code, yielding unauthenticated remote code execution on any server built from the poisoned source. The code carried the comment 'REMOVETHIS: sold to zerodium, mid 2017'. Maintainers caught the commits during routine post-commit review and reverted them before any release build incorporated them, and investigators concluded the git.php.net server itself was breached rather than an individual account. In response, PHP discontinued its own Git infrastructure and moved the canonical repository to GitHub.
How to avoid it in your code
- Move canonical source off self-hosted Git onto a hardened, audited forge with enforced authentication.
- Require cryptographically signed commits and verify signatures in branch protection.
- Enforce mandatory code review and protected branches before merge to release branches.
- Audit and rebuild from a known-clean source after any infrastructure compromise.
- Reproduce release artifacts from verified commits to confirm no injected code.
References
Related vulnerabilities
All Supply chain →- CRITICALGHSA-4XPC-PV4P-PM3W
LiteLLM: Authentication Bypass via Host Header Injection
- HIGHGHSA-F59H-Q822-G45G
Caddy: FastCGI header normalization bypass in `forward_auth copy_headers`
- MEDIUMGHSA-JVC7-762P-3743
n8n: Missing Token Validation on Microsoft Agent 365 Trigger and Stripe Nodes
- CRITICALNPM-SHAI-HULUD-2-2025
A renewed wave of the Shai-Hulud worm, dubbed Shai-Hulud 2.0 or 'The Second Coming', began around November 21-24, 2025 and affected tens of thousands of GitHub repositories across roughly 350 unique users. The variant moved execution to the pre-install phase, dropped large heavily obfuscated payloads (setup_bun.js and bun_environment.js), and exfiltrated stolen secrets to public GitHub repositories described as 'Sha1-Hulud: The Second Coming'. As an aggressive fallback, it attempted to destroy the victim's entire home directory if credential theft failed.
- CRITICALNPM-SHAI-HULUD-2025
Shai-Hulud was the first self-replicating worm to hit the npm ecosystem, disclosed around September 15, 2025. Beginning with the compromise of @ctrl/tinycolor (over 2 million weekly downloads), the malware harvested developer credentials (npm tokens, GitHub PATs, and AWS/GCP/Azure secrets) using the TruffleHog secret scanner, then automatically authenticated to npm and republished trojanized versions of every package the victim maintained, spreading exponentially without operator intervention. It exfiltrated stolen secrets to attacker webhooks and public GitHub repositories and established persistence via a malicious GitHub Actions workflow. More than 500 packages were ultimately compromised, including several CrowdStrike packages.
- CRITICALNPM-QIX-CHALK-DEBUG-2025
On September 8, 2025, maintainer Josh Junon ('Qix') was phished via a fake npm 2FA-reset email from the spoofed domain support@npmjs.help, giving attackers control of his account. They published malicious versions of 18 foundational packages including chalk@5.6.1, debug@4.4.2, ansi-styles@6.2.2 and strip-ansi@7.1.1, which collectively account for over 2 billion weekly downloads, making it the largest npm supply chain attack by download volume. The injected payload was a browser-based crypto clipper that hooked fetch and XMLHttpRequest, used Levenshtein-distance matching to swap victim wallet addresses across Ethereum, Bitcoin, Solana, Tron, Litecoin and Bitcoin Cash, and hijacked window.ethereum/MetaMask transactions. The malicious versions were live for roughly two hours before removal.