The unauthorized code was disguised as two typo fix-related commits apparently pushed by Rasmus Lerdorf, author of the PHP language, and Nikita Popov, an important PHP contributor. The code seems to allow an attacker to remotely execute arbitrary PHP code. The investigation into this incident is ongoing, but the backdoor was discovered quickly and it…