What WordPress Users Need to Know. An unknown actor compromised the official PHP Git repository last night (March 28), pushing backdoored code under the guise of a minor edit.
The malicious attacker pushed two commits to the php-src repo for the popular scripting language that contained a backdoor allowing for remote code execution (RCE), maintainers revealed.
Late Sunday night, on March 28, 2021, Nikita Popov, a core PHP committer, released a statement indicating that two malicious commits had been pushed to the php-src git repository. These commits were pushed to create a backdoor that would have effectively allowed attackers to achieve remote code execution through PHP and an HTTP header.