The unauthorized code was disguised as two typo fix-related commits apparently pushed by Rasmus Lerdorf, author of the PHP language, and Nikita Popov, an important PHP contributor. The code seems to allow an attacker to remotely execute arbitrary PHP code.

The investigation into this incident is ongoing, but the backdoor was discovered quickly and it apparently did not make it into a PHP update made available to users.

“We don’t yet know how exactly this happened, but everything points towards a compromise of the git.php.net server (rather than a compromise of an individual git account),” Popov explained after the incident was discovered.