Good lord, this is a nightmare scenario. If you run a website powered by WordPress, be sure to read this announcement:
Long story short: If you downloaded WordPress 2.1.1 within the past 3-4 days, your files may include a security exploit that was added by a cracker, and you should upgrade all of your files to 2.1.2 immediately.
Longer explanation: This morning we received a note to our security mailing address about unusual and highly exploitable code in WordPress. The issue was investigated, and it appeared that the 2.1.1 download had been modified from its original code. We took the website down immediately to investigate what happened.
If you know someone whose site is powered by WordPress, spread the word. And man, do I feel bad for the people who run WordPress.org. This is indeed “the kind of thing you pray never happens.”
Ed Bott 
Fortunately upgrading WordPress is a piece of cake.
It reminds of the time the GNU Savannah server was hacked (which held the repository of FSF code). It took them months to prove to themselves that no packages were compromised …. not that I believed them.