Safeguard
Supply Chain Attacks

The Six-Month PEAR go-pear.phar Installer Compromise

How a single tampered PEAR go-pear.phar installer sat undetected on pear.php.net for months, what it could do, and what the PHP ecosystem learned about supply chain trust.

Aman Khan
AppSec Engineer
7 min read

In January 2019, the maintainers of PEAR — one of the oldest package distribution systems in the PHP ecosystem — pulled pear.php.net offline after discovering that its installer file, go-pear.phar, had been silently replaced with a malicious version. The file that thousands of developers had trusted to bootstrap PHP package management on their servers was, in fact, a backdoor. What made the incident so unsettling wasn't just the payload — it was the timeline. PEAR's own maintainers could not say with confidence when the tampering began, and ultimately told users to treat any go-pear.phar download from the prior six months as compromised. The PEAR go-pear.phar compromise became a textbook case of how a single altered installer script can quietly poison a software supply chain for months before anyone notices, and it still shapes how security teams think about trusting build-time downloads today.

What Was the PEAR go-pear.phar Compromise?

The PEAR go-pear.phar compromise was the discovery, in January 2019, that the official installer for PEAR — the PHP Extension and Application Repository — had been swapped out on pear.php.net for a version containing malicious code. go-pear.phar is a self-contained PHP archive that developers download and execute to install the PEAR package manager and configure its environment on a server. Because it runs with the privileges of whatever user invokes it, and because it was fetched directly from the "official" PEAR domain rather than a mirrored, checksum-verified release channel, it was an ideal target: compromise the file once, and every subsequent download hands you code execution on someone else's machine. PEAR maintainers confirmed the file on the live site no longer matched the version checked into the project's GitHub repository, which is what first tipped off the investigation.

When Did the Compromised Installer Appear, and How Was It Discovered?

PEAR took pear.php.net offline on January 19, 2019, immediately after the discrepancy was found, but the exact start date of the compromise was never pinned down. Server logs that could have established a precise infection date either didn't exist or weren't retained long enough to reconstruct the timeline, which is a common failure mode in projects run by small volunteer teams rather than dedicated security operations. Lacking hard evidence, the maintainers made the conservative call: anyone who had downloaded go-pear.phar within approximately the prior six months — roughly the back half of 2018 into January 2019 — was told to assume their download was the tampered one. That guidance, rather than a confirmed forensic timestamp, is where the "six-month" window comes from, and it illustrates a recurring problem in installer-script compromise cases: without integrity monitoring, defenders are often forced to estimate blast radius rather than measure it.

What Could the Malicious go-pear.phar Do to a Victim's System?

The tampered installer was capable of executing attacker-supplied PHP code on any system that ran it, effectively handing over remote control of the host performing the install. Because go-pear.phar's normal job is to write configuration files, set up include paths, and register itself system-wide, a modified version could just as easily drop a web shell, plant additional backdoored files alongside legitimate PEAR components, or quietly alter other parts of the PHP environment during setup — all under the guise of a routine package manager installation. This is precisely why security researchers who reviewed the incident advised more than just deleting the offending file: since the installer runs with the same trust and privilege as any other locally executed script, a fully rigorous response meant reinstalling PHP itself rather than assuming the damage was contained to one archive.

Why Did the Compromise Go Undetected for Six Months?

The compromise persisted because nothing in the PEAR distribution pipeline was verifying that the published installer still matched its source. PEAR predates Composer, PHP's now-dominant dependency manager, by over a decade, and by 2019 its infrastructure had received far less investment and scrutiny than the fast-growing Composer/Packagist ecosystem. There was no automated hash comparison between the file served from pear.php.net and the corresponding release in version control, no widely publicized checksum for users to verify against, and no monitoring alerting maintainers to unexpected file changes on the web server. In short, the installer script compromise succeeded not because the attacker was especially sophisticated, but because the distribution channel had no tripwires. A single unauthorized file write went unnoticed for as long as it did simply because no one — and nothing automated — was watching.

What Did PEAR and the PHP Community Do in Response?

PEAR responded by taking the site down, publishing a security notice urging affected users to reinstall PHP, and eventually rebuilding its distribution process with more scrutiny around what shipped from pear.php.net. Linux distributions and hosting providers that bundled or referenced php-pear packages flagged or paused those components while the scope of the PHP package manager compromise was assessed. The broader PHP community response, though, was arguably more significant than any single fix: the incident accelerated the already-underway migration away from PEAR and toward Composer, which resolves and installs dependencies from Packagist using lockfiles and versioned metadata rather than a single monolithic installer binary fetched from one origin. It also renewed a broader conversation across the open-source ecosystem about verifying build tooling and installer scripts, not just the application dependencies they help pull in — a supply chain concern that reappeared in npm, RubyGems, and PyPI incidents in the years that followed.

How Safeguard Helps

The PEAR go-pear.phar compromise is a reminder that supply chain risk doesn't only live in your application's declared dependencies — it lives in every script, installer, and binary your build and deployment pipeline trusts implicitly. Safeguard is built to close exactly that gap. Our platform continuously monitors the packages, installer scripts, and third-party artifacts pulled into your build process, flagging unexpected changes to files that should be immutable between releases — the same class of silent tampering that let a modified go-pear.phar sit undetected for months. Instead of relying on a maintainer manually noticing that a hash doesn't match, Safeguard automates that verification at the point where it matters: before the artifact reaches a developer's machine or a production build.

Safeguard also helps teams reduce their exposure to legacy, under-maintained distribution channels like the one PEAR operated in 2019. We map your dependency tree — including transitive installer and tooling dependencies that often get overlooked — and surface packages that are still pulled from single-maintainer infrastructure with weak provenance guarantees, so you can migrate away from risky sources before an incident forces the issue. When a compromise does happen upstream, Safeguard's alerting shortens the "unknown exposure window" problem that made the PEAR incident so hard to scope: rather than waiting six months and then asking users to assume the worst, our customers get near-real-time notification when a monitored artifact's signature or hash changes unexpectedly.

Finally, Safeguard treats installer scripts with the same rigor as application code. Any executable fetched and run during setup — whether it's a PHP archive, a shell script piped from curl, or a signed binary installer — is a potential vector for exactly this kind of supply chain compromise, and our scanning and policy enforcement extend to that layer rather than stopping at the package manifest. The PEAR go-pear.phar compromise cost the PHP ecosystem trust that took years to rebuild; the goal of continuous, automated artifact verification is to make sure the next installer-script compromise gets caught in hours, not half a year.

Never miss an update

Weekly insights on software supply chain security, delivered to your inbox.