The official PHP Extension and Application Repository (PEAR) website has been shut down after an apparent hack caused the original PHP PEAR package manager to be replaced by attackers with a tainted version.
The framework developers have taken the website offline after noticing that the original PHP PEAR package manager (go-pear.phar) was swapped in their file system. The malicious version seems to have been available for download for more than six months, meaning everyone who downloaded the package from the official webpage in that time could have been compromised.
“A security breach has been found on the http://pear.php.net webserver, with a tainted go-pear.phar discovered,” reads a notice on the official website. “The PEAR website itself has been disabled until a known clean site can be rebuilt. A more detailed announcement will be on the PEAR Blog once it’s back online.”
While the tool is open source and community-driven, these types of supply chain attacks are not uncommon. Security researchers even predicted that this attack method would become far more common in 2019, as threat actors leverage vulnerabilities in websites to replace legitimate binaries with tampered ones.
“If you have downloaded this go-pear.phar in the past six months, you should get a new copy of the same release version from GitHub (pear/pearweb_phars) and compare file hashes,” the notice reads. “If different, you may have the infected file.”
While developers have clearly stated that only the package hosted on the official website was affected, with the Github release apparently left unharmed, they still advise everyone to compare file hashes with the latest build.
A new clear version 1.10.10 of pearweb_phars is now available on GitHub for everyone to download and install. But, until the official website becomes available, there’s little information of how attackers might have used the tainted version to compromise victims.
With no information on who might have been behind the attack, how many users might have been affected, and in what way, everyone is encouraged to take appropriate steps, starting with downloading the newest version and perhaps auditing their systems.
The PEAR teams promises to come back with more details as their investigation progresses and their official websites becomes operational again.