pear
PEAR PHP installer go-pear.phar compromised on server
The official go-pear.phar installer on pear.php.net was replaced with a malicious version and left in place for roughly six months. Anyone bootstrapping PEAR from the trusted server risked executing a backdoored installer, a thin bootstrap script turned into a long-lived foothold.
- Date
- 2018-06-20 to 2019-01-19
- Category
- Open Source
- Target Surface
- Distribution
- Insertion Phase
- distribution
- Impact
- Backdoor
- Cause
- Compromised Infrastructure
What Was Affected
Package
pear
LanguagePHP
ComponentLibrary
Artifact typebinary archive
Domain typeproject download host
Domain
pear.php.net
Incident Context
- Motive
- Unauthorized Access/Control
- Attribution
- Individual Hacker
- Transitive
- No
- Observed Duration
- 213 days
Evidence
Compromised Artifacts
Current Artifacts and Analysis
Indicators and Changes
Hashes
sha1:1e623a48b8991980e93896153651135ab7ab82a0
External References
Source Data
Source record: oss/pear/meta.yaml