In a post to the project's php.doc and php.internals groups, Popov said the process whereby this happened was not known as yet.
"We don't yet know how exactly this happened, but everything points towards a compromise of the git.php.net server (rather than a compromise of an individual git account)," he wrote.
The PHP project has always had source code on GitHub, but until now the repository served as a mirror. That will change from now on, according to Popov.
Git is a source code management system developed by Linux creator Linus Torvalds in 2005, but now maintained by kernel developer Junio Hamano.
Cheers to the troll who put "Zerodium" in today's PHP git compromised commits. Obviously, we have nothing to do with this.— Chaouki Bekrar (@cBekrar) March 29, 2021
Likely, the researcher(s) who found this bug/exploit tried to sell it to many entities but none wanted to buy this crap, so they burned it for fun ?
Torvalds had to ditch a proprietary code management system known as BitKeeper when its owner, Larry McVoy, took umbrage at the fact that well-known Australian free software developer Andrew Tridgell reverse-engineered the protocols used in BitKeeper and released the code for his own program, SourcePuller.
In retaliation, McVoy pulled the free version of BitKeeper which had been available until then which was being used by a number of Linux kernel developers. Which, in turn, led to Torvalds creating how own solution, git.
Popov wrote: "While investigation is still underway, we have decided that maintaining our own git infrastructure is an unnecessary security risk, and that we will discontinue the git.php.net server.
"Instead, the repositories on GitHub, which were previously only mirrors, will become canonical. This means that changes should be pushed directly to GitHub rather than to git.php.net.
"While previously write access to repositories was handled through our home-grown karma system, you will now need to be part of the php organisation on GitHub.
"If you are not part of the organisation yet, or don't have access to a repository you should have access to, contact me at nikic @ php.net with your php.net and GitHub account names, as well as the permissions you're currently missing. Membership in the organisation requires 2FA to be enabled.
"This change also means that it is now possible to merge pull requests directly from the GitHub Web interface."
"We're reviewing the repositories for any corruption beyond the two referenced commits."