The PEAR team has published more details about the recent security incident, explaining the tainted "go-pear.phar" found on its server appeared to be planted after the last official file release on 20 December 2018.

After analyzing the tainted version of the package manager, the team found that the malicious module "spawn a reverse shell via Perl to IP 104.131.154.154" from the infected servers, allowing attackers to take complete control over them, including the ability to install apps, run malicious code, and steal sensitive data.

According to the DCSO, a German cybersecurity organization who also analyzed the tainted code, the server IP address 104.131.154.154 points to a web domain bestlinuxgames[.]com, which it believes was a compromised host used by the attackers.

"This IP has been reported to its host in relation to the taint. No other breach was identified. The install-pear-nozlib.phar was ok. The go-pear.phar file at GitHub was ok and could be used as a good md5sum comparison for any suspect copies," PEAR team said in a series of tweets.

"So, if you downloaded go-pear.phar since 12/20 in order to run it once to install the PEAR package on your system, you should be concerned, particularly if your system has 'sh' and 'perl' available."

"Also note that this does not affect the PEAR installer package itself... it affects the go-pear.phar executable that you would use to initially install the PEAR installer. Using the 'pear' command to install various PEAR package is not affected."