PHP PEAR Site Hacked; Tainted Package Available for Months

The official PHP Extension and Application Repository
(PEAR) website has been shut down after an apparent hack caused the original
PHP PEAR package manager to be replaced by attackers with a tainted version.

The framework developers have
taken the website offline after noticing  that the original PHP PEAR package manager
(go-pear.phar) was swapped in their file system. The malicious version seems to
have been available for download for more than six months, meaning everyone who
downloaded the package from the official webpage in that time could have been
compromised.

“A security breach has been found on the http://pear.php.net webserver, with a tainted go-pear.phar discovered,” reads a notice on the official website. “The PEAR website itself has been disabled until a known clean site can be rebuilt. A more detailed announcement will be on the PEAR Blog once it’s back online.”

While the tool is open source and
community-driven, these types of supply chain attacks are not uncommon.
Security researchers
even predicted
that this attack method would become far more common in 2019,
as threat actors leverage vulnerabilities in websites to replace legitimate
binaries with tampered ones.

“If you have downloaded this
go-pear.phar in the past six months, you should get a new copy of the same
release version from GitHub (pear/pearweb_phars) and compare file hashes,” the
notice reads. “If different, you may have the infected file.”

While developers have clearly stated
that only the package hosted on the official website was affected, with the Github
release apparently left unharmed, they still advise everyone to compare file
hashes with the latest build.

A new clear version 1.10.10 of
pearweb_phars is now available on GitHub for everyone to download and install.
But, until the official website becomes available, there’s little information
of how attackers might have used the tainted version to compromise victims.

With no information on who might
have been behind the attack, how many users might have been affected, and in
what way, everyone is encouraged to take appropriate steps, starting with
downloading the newest version and perhaps auditing their systems.

The PEAR teams promises to come
back with more details as their investigation progresses and their official
websites becomes operational again.

Leave a Reply