"On Sunday, the 28th of November 2010 around 20:00 UTC the main distribution server of the ProFTPD project was compromised. The attackers most likely used an unpatched security issue in the FTP daemon to gain access to the server and used their privileges to replace the source files for ProFTPD 1.3.3c with a version which contained a backdoor."
—
From ProFTPD ftp.proftpd.org compromise.
That’s probably the worst possible scenario: the application is distributing the application itself, and they exploited a bug in the application to backdoor the distributed application. WTF!
