PHP’s Git server hacked to add backdoors to PHP source code

The counter argument to “update everything automatically” is that it leaves you wide open to supply chain hacks like this. On balance I still recommend a “patch, then test for suspicious activity” approach rather than “patch test server, test, deploy to production” as, for most operations, the sheer volume of updates would overwhelm your capacity to effectively test everything..:

In the latest software supply chain attack, the official PHP Git repository was hacked and tampered with. Yesterday, two malicious commits were pushed to the php-src Git repository maintained by the PHP team on their server. The threat actors had signed off on these commits as if they were made by known PHP developers. […]

Original Article