In yet another instance of a software supply chain attack, someone hacked the official Git server of the PHP programming language and pushed unauthorized updates to insert a secret backdoor into its source code.

The two malicious commits were pushed to the self-hosted "php-src" repository hosted on the git.php.net server, illicitly using the names of Rasmus Lerdorf, the author of the programming language, and Nikita Popov, a software developer at Jetbrains.

The changes are said to have been made yesterday on March 28.

"We don't yet know how exactly this happened, but everything points towards a compromise of the git.php.net server (rather than a compromise of an individual git account," Popov said in an announcement.

The changes, which were committed as "Fix Typo" in an attempt to slip through undetected as a typographical correction, involved provisions for the arbitrary execution of arbitrary PHP code. "This line executes PHP code from within the useragent HTTP header, if the string starts with 'zerodium'," PHP developer Jake Birchall said.

Besides reverting the changes, the maintainers of PHP are said to be reviewing the repositories for any corruption beyond the aforementioned two commits. Additionally, contributing to the PHP project will now require developers to be added as a part of the organization on GitHub.

It's not immediately clear if the tampered codebase was downloaded and distributed by other parties before the changes were spotted and reversed.

We have reached out to the maintainers of PHP for more comments, and we will update the story if we hear back.