https://www.theregister.com/2021/03/29/php_repository_infected/
This one's pretty new... from 3/28
"The main code repository for PHP, which powers nearly 80 per cent of
the internet, was breached to add malicious code and is now being moved
to GitHub as a precaution."
<quote>
"Yesterday (2021-03-28) two malicious commits were pushed to the php-src
repo from the names of Rasmus Lerdorf and myself. We don't yet know how
exactly this happened, but everything points towards a compromise of the git.php.net server (rather than a compromise of an individual git
account)," said PHP maintainer Nikita Popov, who works with the PHP team
at JetBrains.
</quote>
and the nature of the breech:
"This line executes PHP code from within the useragent HTTP header, if
the string starts with 'zerodium'"
No doubt malicious "visitors" would be from tor or botnet IP addresses.
"The code was inserted under the misleading name 'Fix typo' and claimed
to be signed off by Rasmus Lerdorf, the creator of PHP"
And, it gets better...
"Popov reverted the code, which was then restored by a criminal seven
hours later, using Popov's name. The backdoor survived for one hour
before being again removed."
The article continues on, saying it's being investigated, etc.
Also, from Popov's statement:
"We have decided that maintaining our own git infrastructure is an
unnecessary security risk, and that we will discontinue the git.php.net
server. Instead, the repositories on GitHub, which were previously only mirrors, will become canonical. This means that changes should be pushed directly to GitHub rather than to git.php.net."
worth mentioning:
"The brief appearance of malicious code in the official repository does
not mean it will make its way into many of those servers. PHP is most
often installed from distribution repositories."
Similarly, FreeBSD ports have tarballed source with MD5 and size
checksums that disallow installing modified source. So unless you DL
the bleeding edge from the repo and build it yourself, it's unlikely
you're affected.
(I'm glad they were paying attention when this happened)
--
(aka 'Bombastic Bob' in case you wondered)
'Feeling with my fingers, and thinking with my brain' - me
'your story is so touching, but it sounds just like a lie'
"Straighten up and fly right"
--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)