PEAR installer served Perl backdoor

PEAR was an old distribution root for PHP code, and go-pear.phar was its bootstrap installer. In January 2019, maintainers found that the copy served from pear.php.net had been replaced on the project server.

The exposure window was long. PEAR warned that anyone who downloaded go-pear.phar during the prior six months should compare it against the clean GitHub copy. Rapid7 reported that, to PEAR's knowledge at the time, only the copy on pear.php.net was known to be affected.

cPanel described the malicious installer as an extractor that enabled a Perl backdoor and opened a shell to a remote infected server. That gave the attacker a path to install applications, run code, and capture sensitive data. DCSO published a MISP event for defenders under UUID 5c46dd16-2ed0-4604-ab12-181cac12042b.

The project took most of pear.php.net offline while it investigated. Users were told to fetch the same release from pear/pearweb_phars, compare hashes, and treat mismatches as compromise evidence. This was not dependency confusion or a lookalike package; it was the official installer file, served from the official site, replaced in place.

Motive

Unauthorized Access Control

Attribution

Person

Cause

Compromised Infrastructure

Transitive

No

Actor

Individual Hacker

• Someone Hacked PHP PEAR Site and Replaced the Official Package Managerthehackernews.com
• pear.php.net probably compromisedblog.paranoidpenguin.net
• PEAR security breach announcementtwitter.com
• PHP Extension and Application Repository (PEAR) Compromise: What You Need to Knowrapid7.com
• When PHP Went Pear Shaped- The PHP PEAR Compromisecpanel.net
• Blast from the Pastthephp.cc