The PHP development team has averted an attempted supply chain compromise that could have opened a backdoor into many web servers. The unidentified attackers disguised the proposed changes as attempts to fix a typo, but their true nature was recognized by the developers before making it into production. The PHP team has reset all passwords and is asking users to set a new one for their account. The team has also decided to stop using their own git infrastructure and make the GitHub repositories canonical. This change also means that it is now possible to merge pull requests directly from the GitHub web interface.
Source: https://www.helpnetsecurity.com/2021/03/29/backdoor-php/