The open-source server-side language is commonly used in web development. The code change was first noticed by contributors Markus Staab, Michael Voříšek, and Jake Birchall.

Popov said the development team is not sure exactly how the attack took place, but clues indicate that the official git.php.net server was likely compromised, rather than individual Git accounts.

Over the weekend, attackers uploaded two malware payloads to the PHP git server, one would have created a backdoor to PHP-enabled websites. Both were found and reverted before going into production.

The PHP team has confirmed to BleepingComputer that they plan on eventually decommissioning their git server in the upcoming days and moving to GitHub permanently. Update 29-Mar-21 7:22 AM ET ...

Two updates pushed to the PHP Git server over the weekend added a line that, if run by a PHP-powered website, would have allowed visitors with no authorization to execute code of their choice.