Poisoned PEAR. PHP extension repository download infected for up to six months

Server down following security breach.

Graham Cluley
Graham Cluley
@[email protected]

Poisoned PEAR. Official PHP extension repository infected for up to six months

The administrators of the PEAR package manager website have taken the site offline, having discovered that hackers breached the site, and planted a backdoor into the software.

PEAR (PHP Extension and Application Repository) is a framework and distribution system for reusable PHP components, making it easier for PHP developers – many of whom are creating websites – to reuse existing open-source libraries or packages rather than code from scratch.

Normally, PHP developers download PEAR from pear.php.net, but if you go there right now, this is what you will see…

Sign up to our free newsletter.
Security news, advice, and tips.

Pear down

A security breach has been found on the http://pear.php.net webserver, with a tainted go-pear.phar discovered. The PEAR website itself has been disabled until a known clean site can be rebuilt. A more detailed announcement will be on the PEAR Blog once it’s back online.

If you have downloaded this go-pear.phar in the past six months, you should get a new copy of the same release version from GitHub (pear/pearweb_phars) and compare file hashes. If different, you may have the infected file.

What is perhaps most alarming is that it appears that anyone downloading and installing an updated edition from PEAR in the last half-year could have been compromised.

For once it’s quite a good thing if you weren’t diligently downloading every update for every piece of software running on your web server!

Users who wish to download an up-to-date and unaffected version of PEAR are being directed to Github.

No date has yet been given by the PEAR team as to when the pear.php.net website will return to normal service. My guess is that they could be some time – hopefully they’re thoroughly investigating how their website became compromised in the first place, and ensuring that no security holes exist that could allow a malicious attacker to simply break in again when the website is brought back up.

Readers with long memories will perhaps recall that this isn’t the first time one of the official PHP websites has been hacked to spread malware.

Graham Cluley is an award-winning keynote speaker who has given presentations around the world about cybersecurity, hackers, and online privacy. A veteran of the computer security industry since the early 1990s, he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows, makes regular media appearances, and is the co-host of the popular "Smashing Security" podcast. Follow him on Twitter, Mastodon, Threads, Bluesky, or drop him an email.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.