January 24, 2019
Maintainers of the PHP Extension and Application Repository (PEAR) have disclosed a breach that resulted in the compromise of the go-pear.phar executable used to install the PEAR installer package manager v1.10.9. The PEAR installer is optionally used by Magento 1 installations. It is not used in Magento 2 where it is replaced by Composer. Users that have downloaded this version from pear.php.net in the past 6 months are urged to download the same version from GitHub and compare the hashes. If those hashes do NOT match, the package manager from pear.php.net should be treated as compromised and replaced with a known clean version (1.10.10 or later).
How do I know if I’m impacted?
According to the PEAR maintainers, your environment is impacted if you downloaded v1.10.9 from pear.php.net in the past 6 months, and you used go-pear.phar to perform a PEAR installation.
If you are impacted, replace the tainted version of PEAR with version 1.10.10 or later acquired from Github. You should also conduct a forensic investigation of the environment for signs of compromise. According to the PEAR maintainers, an unauthorized line of code was introduced that was designed to spawn a reverse shell via Perl to IP 220.127.116.11.