The commits were pushed to the php-src repository, thus offering attackers a supply-chain opportunity to infect websites that pick up the malicious code believing it to be legit.

Two updates pushed to the PHP Git server over the weekend added a line that, if run by a PHP-powered website, would have allowed visitors with no authorization to execute code of their choice.

Attackers were able to place malicious code in the PHP central code repository by impersonating key developers, forcing changes to the PHP Group's infrastructure.

But, that is hardly surprising as with source code version control systems like Git, it is possible to sign-off a commit as coming from anybody else [1, 2] locally and then upload the spoofed ...