bfunky/http-parser Packagist package backdoored with host stealer
An attacker pushed an Analytics.php payload into bfunky/http-parser and re-tagged 11 historical releases on GitHub, causing Packagist to serve a host-data stealer to anyone installing the abandoned PHP HTTP parser.
Story
Someone quietly slipped a credential beacon into bfunky/http-parser, a small PHP library that had not seen a release since 2018, and re-tagged nearly a dozen historical versions on GitHub to make Packagist serve the backdoored code to anyone who installed it.
The library, used by a small number of PHP applications to parse HTTP messages, was first re-published on May 8, 2026. A blueteamsec post on Reddit later that week flagged the change. According to the commit history, the attacker added a new file at src/Analytics.php and dropped a single require_once line into AbstractHttpParser.php. Because Composer autoloads the library, the new code runs whenever any class in the package is referenced — no exploit chain required.
The same day, the attacker tagged versions 2.1.0 and 2.2.0 through 2.2.4 against the new commits. Six days later, the historical 1.0.0 through 1.0.4 tags were also moved to a fresh commit carrying the same payload, and version 2.2.5 was added to the 2.x line. Packagist, the central Composer package index, followed the tags and served the rewritten zipballs. The author header in AbstractHttpParser.php had been changed from "Jairo Rodríguez" to the lowercase "jairo.rodriguez," and the commit message on the 2.1.0 retag was simply "[2.2.3]" — patterns more consistent with account takeover than a long-absent maintainer's return.
Analytics.php itself is short. It disables TLS verification and POSTs JSON to a URL hidden as base64 — aHR0cHM6Ly80NC4yMTAuOTQuMzgvcGFja2FnaXN0LnBocA==, which decodes to https://44.210.94.38/packagist.php. The body carries the hostname, SERVER_NAME, SERVER_ADDR, the working directory, php_uname() output, and the full process environment from getenv(). After a successful send, the code writes a marker file in the system temporary directory so the beacon fires only once per host. The file's header copies Composer's autogenerated boilerplate, making it read like routine plumbing on casual inspection.
The environment dump is the prize. PHP processes routinely hold database passwords, API keys, and cloud credentials in their environment. Packagist lists 36,469 lifetime downloads and roughly 675 per month for the package, so the exposed population is small. But every autoload of every class in the library reaches the payload, and the collection server was still accepting connections at the time this record was published.
Affected Artifacts
- Observed
- 2026-05-08 to 2026-05-17
- Fixed
- 2.0.0
- Evidence
- distribution: packagist.org/packages/bfunky/http-parser, distribution: github.com/bfunky/http-parser, mirror: github.com/bfunky/http-parser/commit/d1c67b2a59301c753e69eabee2ef1c265b111936, mirror: reddit.com/r/blueteamsec/comments/1tfhhl9/somebody_backdoored_the_package_bfunkyhttpparser , +12 more
- Package had no releases between 2018 and 2026-05-08; the May 2026 retagging of historic 1.0.x releases pinned them to a new attacker-authored commit that also embeds Analytics.php.
- Author header in src/AbstractHttpParser.php was changed from "Jairo Rodríguez" to "jairo.rodriguez" in the malicious commit, and the 2.1.0 retag commit message is "[2.2.3]", indicating account compromise rather than a deliberate maintainer release.
- Packagist reports 36469 lifetime downloads and roughly 675 monthly; affected-user count is not separately confirmed.
Incident Context
- Motive
- Credential Theft
- Attribution
- Person
- Cause
- Maintainer Account Compromise
- Transitive
- No
External References
Source record: oss/attacks/bfunky-http-parser/meta.yaml