www.belgium.be Logo of the federal government

PHP PEAR Site hacked, official Package Manager replaced

Advisory #2019-002
Affected software: 
PHP PEAR package manager
Chain of Supply attack, Remote Code Execution







The PHP PEAR package manager repository has recently been compromised.

CERT.be recommends systems administrators to closely follow up this situation and act accordingly should they be running a compromised version of PHP PEAR package manager.

The malicious module inside the compromised versions of the PHP PEAR package manager has the ability to spawn a reverse shell via Perl allowing attackers to take complete control of the affected system.

This document will be updated accordingly as the situation evolves.


The PEAR team has published more details about the recent security incident, explaining the tainted "go-pear.phar" found on its server appeared to be planted after the last official file release on 20 December 2018.

After analyzing the tainted version of the package manager, the team found that the malicious module "spawn a reverse shell via Perl to IP" from the infected servers, allowing attackers to take complete control over them, including the ability to install apps, run malicious code, and steal sensitive data.

According to the DCSO, a German cybersecurity organization who also analyzed the tainted code, the server IP address points to a web domain bestlinuxgames[.]com, which it believes was a compromised host used by the attackers.

"This IP has been reported to its host in relation to the taint. No other breach was identified. The install-pear-nozlib.phar was ok. The go-pear.phar file at GitHub was ok and could be used as a good md5sum comparison for any suspect copies," PEAR team said in a series of tweets.

"So, if you downloaded go-pear.phar since 12/20 in order to run it once to install the PEAR package on your system, you should be concerned, particularly if your system has 'sh' and 'perl' available."

"Also note that this does not affect the PEAR installer package itself... it affects the go-pear.phar executable that you would use to initially install the PEAR installer. Using the 'pear' command to install various PEAR package is not affected."

Recommended Actions

The PEAR Team is actually rebuilding a ‘clean’ version of their website. Meanwhile it’s still possible to clone their GitHub repository, checking the tag of the release you want, cd and install.

Software distributions will investigate and update the versions of PEAR they distribute in the near future. Users are advised to patch their installations as soon as updates are available.