PHP maintainers say they suspect a possible leak of the master.php.net user database. Unidentified actors used the names of Rasmus Lerdorf and Nikita Popov to push malicious commits to the “php-src” repository last month. The attackers used a backdoor to the PHP source code in an instance of a software supply chain attack. The commits were pushed using HTTPS and password-based authentication, leading them to suspect a leak of a user database containing their passwords to make unauthorized changes to the repository.
Source: https://thehackernews.com/2021/04/php-sites-user-database-was-hacked-in.html