Officials with the widely used PHP Extension and Application Repository have temporarily shut down most of their website and are urging users to inspect their systems after discovering hackers replaced the main package manager with a malicious one.

“If you have downloaded this go-pear.phar [package manager] in the past six months, you should get a new copy of the same release version from GitHub (pear/pearweb_phars) and compare file hashes,” officials wrote on the site’s blog. "If different, you may have the infected file.”

The officials didn’t say when the hack of their Web server occurred or precisely what the malicious version of go-pear.phar did to infected systems. Initial indications, however, look serious. For starters, the advice applies to anyone who has downloaded the package manager in the past six months. That suggests the hack may have occurred in the timeframe of last July, and no one noticed either it or the tainted download until this week.

What’s more, results from VirusTotal, the Google-owned malware scanning service, suggest that the malicious PEAR download installed a backdoor, possibly in the form of a Web shell, on infected servers. If true, the backdoor almost certainly gives the hackers complete control—including the ability to install applications, execute malicious code, and download sensitive data—over any machine that installed the malicious download.

PEAR officials didn’t respond to questions about how and when the breach of their Web server occurred or what the malicious download did. On Twitter, they said the go-pear.phar download available on Github wasn’t affected by the hack. They also said they had updated pearweb.phars, the download that includes a variety of smaller files, to add GPG signature files for each phar file. That will allow users to more easily verify the authenticity of each individual PEAR component.

Infecting the source

PEAR’s advisory is the latest to expose what’s known as a supply-chain attack. These attacks are particularly effective because a single hack poisons software at its source where potentially large numbers of people go to get their downloads. The best-known example of a recent supply chain attack is the backdoor that infected 2.27 million computers that installed a software update for the CCleaner disk utility program in 2017. Hackers slipped the backdoor into the update after breaching the CCleaner build system. The backdoor went undetected for 31 days.

The virulent NotPetya ransomware worm in July 2017 was also seeded after attackers infected M.E.Doc, a developer of a tax-accounting application that's widely used in Ukraine. The attackers then caused the company's update mechanism to spread the ransomware. Other supply-chain attacks include the infection of 100 banks worldwide, also in 2017, when they installed server- or network-management products sold by software maker NetSarang. Last October, two supply-chain attacks came to light, one affecting control-panel interface VestaCP and the other the official repository for the widely used Python programming language.

One way to reduce the chances of falling victim to supply-chain attacks is to compare the hash digest of downloaded files to the hash published by the developer. This is by no means a fool-proof protection, because hackers who have the ability to alter installation files may also have the ability to change published hashes. Still, it remains effective in many cases, particularly where the hash is published on a wide number of mirror sites.

Anyone who has installed PEAR installation files downloaded from pear.php.net should thoroughly analyze their systems for signs of infection and await further information from PEAR officials.