In January 2019, the PHP PEAR (PHP Extension and Application Repository) team announced that the official pear.php.net web server had been compromised by an unknown attacker who replaced the legitimate go-pear.phar package manager installer with a backdoored version. The malicious file had been available for download from the official site since approximately December 20, 2018, meaning any developer or sysadmin who downloaded the PEAR installer from pear.php.net in the preceding month was potentially affected.

The tainted go-pear.phar contained an embedded Perl-based reverse shell backdoor that, when executed, would connect outbound to the attacker’s command-and-control server at IP address 104.131.154.154. This gave the attacker remote shell access and full control over the compromised system — allowing installation of additional malware, lateral movement, credential theft, and arbitrary code execution on the affected server.

The PEAR project disclosed the incident via Twitter on January 19, 2019, immediately taking pear.php.net offline during investigation. Users who had downloaded go-pear.phar from the official website in the previous six months were advised to obtain a clean copy from the project’s GitHub repository and verify file hashes.

Importantly, the attack targeted only the go-pear.phar bootstrap installer, not individual PEAR packages distributed via the pear command-line tool. Servers that used the PEAR command to install packages from the repository were not directly affected; only those that bootstrapped a new PEAR installation from the website download were at risk.

The scope of impact is difficult to quantify. PHP powers a large fraction of the web, and system administrators routinely use the PEAR installer to set up PHP environments. Any web server, CI/CD pipeline, or development environment that ran the malicious installer during the exposure window would have given the attacker a persistent foothold.

This incident is a textbook software supply chain attack: compromising the distribution infrastructure of a widely-used open-source tool to silently deliver malware to downstream users who trust the official source. No CVE was formally assigned. The PEAR project did not release details about how the web server was compromised. Rapid7 and Help Net Security provided detailed analysis of the malicious payload.