The phpMyAdmin team was notified of the issue by the Tencent Security Response Center, and they immediately put up a warning for its users. Then they proceeded to alert the team at SourceForge, who mounted an investigation into the matter.
"On September 25th, SourceForge became aware of a corrupted copy of phpMyAdmin being served from the ‘cdnetworks-kr-1′ mirror in Korea. This mirror was immediately removed from rotation," Rich Bowen, the Community Growth Hacker at SourceForge, confirmed on the site's blog.
"The mirror provider has confirmed the attack vector has been identified and is limited to their mirror; with exploit having occurred on or around September 22nd."
The file - phpMyAdmin-22.214.171.124-all-languages.zip - was modified to include a backdoor that allowed attackers to remotely execute PHP code on the server running the malicious version of phpMyAdmin.
According to their logs, some 400 users downloaded the corrupted file, and those who could be tracked down via those logs were immediately alerted.
"Downloaders are at risk only if a corrupt copy of this software was obtained, installed on a server, and serving was enabled. Examination of web logs and other server data should help confirm whether this backdoor was accessed," Bowen instructs.
"It is our recommendation that downloaders of this corrupted file (which contains ‘server_sync.php’) assess risk and take action as they deem appropriate, including deletion of the corrupted file and downloading a fresh copy."
At the time being, it seems that only that one file was corrupted, but the investigation continues.
By subscribing to our early morning news update, you will receive a daily digest of the latest security news published on Help Net Security.
With over 500 issues so far, reading our newsletter every Monday morning will keep you up-to-date with security risks out there.