If you are one of them who have downloaded the PHP PEAR package manager in last six months from the official website, then your server might have been compromised. In January this year, the PHP maintainers at PEAR took down the official website (pear-php.net) after it was noticed that the original PHP PEAR package manager (go-pear.phar) was replaced with a modified version of the same in the core PEAR file system. Despite being in the process of analyzing the malicious package, the PEAR developers published a security announcement on 19th of January, 2019 confirming that the allegedly hacked website had been serving the installation file containing the malicious code to download for nearly half a year.
The PEAR or the PHP Extension and Application Repository is a community driven framework and distribution system that offers to search and download free libraries written in PHP programming language. These sorts of open libraries or the packages permits the developers to include additional functionalities into their projects and websites with ease that even includes authentication, encryption, caching, web services and lot more. Whenever you download the PHP software for systems like Unix, Linux or BSD systems, the PEAR download manager comes as a pre-installed package while the users of the Windows and Mac OS X needs to install the component manually when required.
From the information gained through the PEAR maintainers, the team are actively performing a forensic investigation determining the extent of the attack and the method the attackers implemented to compromise the server in the first place. A new version of the PEAR package manager, version 1.10.10 pearweb_phar has been released and made available on Github. The developers also mentioned that the Github copy of the go-pear.phar was not compromised and only the copy of pear.php.net server was highly impacted. The brain behind the attack has remained unknown as the PEAR officials have not released any details regarding the security incident.