The malicious code, discovered in late March, was found in the php-src repository hosted on the git.php.net server and it was apparently designed to allow an attacker to remotely execute arbitrary PHP code. PHP developers said the backdoor was discovered before it was pushed out to users via an update.

Initially, users were told that evidence pointed to a compromise of the git.php.net server rather than a Git account hijacking.

However, in an update shared this week, Nikita Popov, an important PHP contributor, said they no longer believe the git.php.net server was compromised.