A researcher said Wednesday that two malicious commits that were added to the PHP web development programming language’s official Git server earlier this week may have been prevented if the maintainers had enabled signed commits (encryption) on the server.
For those unschooled in the language of programming, a commit in the Git world is when a source code repository gets refreshed. Malicious commits happen when malicious code gets placed into the refresh. When a programmer cryptographically signs a commit, it’s known as a signed commit.
Asaf Karas, co-founder and CTO of Vdoo, noted that while there’s no silver bullet and security researchers don’t know precisely how the attackers compromised the PHP server, as far as he could tell, the malicious commits used by the PHP server attackers were not signed commits.