PHP's Git Server Compromised, Now Switching To GitHub

Written by Michael Larabel in Programming on 29 March 2021 at 06:56 AM EDT. 66 Comments
The PHP programming language's self-hosted Git server was compromised on Sunday and two malicious commits introduced.

The PHP core team is still investigating how the official PHP Git server was compromised but already they have decided to immediately abandon their self-hosted infrastructure and will instead use GitHub.

The malicious commits introduced a new vector for arbitrary code execution for specially crafted code within the HTTP headers. This would have obviously exposed many PHP servers to remote code execution if these commits had gone unnoticed and reached stable versions / production environments.

PHP already provided a read-only copy of their Git repository via GitHub while moving forward that will now become the official source.

Switching to GitHub means they will also be accepting merge requests via GitHub too

More details on the PHP mailing list.
Related News
About The Author
Michael Larabel

Michael Larabel is the principal author of and founded the site in 2004 with a focus on enriching the Linux hardware experience. Michael has written more than 20,000 articles covering the state of Linux hardware support, Linux performance, graphics drivers, and other topics. Michael is also the lead developer of the Phoronix Test Suite, Phoromatic, and automated benchmarking software. He can be followed via Twitter, LinkedIn, or contacted via

Popular News This Week