As announced on the php.internals mailing list, a pair of malicious commits were made in the PHP source code repository over the weekend. These commits were immediately noticed and reverted,
and thus never reached end users . The investigation into the root cause and exact scope of the
compromise is still ongoing, therefore releases will be put
on hold for two weeks assuming no further issues are discovered.