I've never heard of this type of attack vector. Nor has the idea even occurred to me, until I read your editorial, Steve. In thinking about it the first thing that comes to mind is the attack had to have been an internal one. Someone who normally works on PHP code wanted to plant a back door in it, for some reason. I conclude this because my experience at source control at scale so far is limited to using TFS. No one can get to our code repos unless they're known people in our Windows AD domain. Otherwise, if it were an external agent, they'd have to obtain the person's credentials, then go poking around possibly for a long time, to find the repo to put a back door into. I can imagine that taking a couple of hours. I might be naive enough that my two-hour estimate is overblown, but that's what I think it would take.