The FreeBSD.org cluster saw a security breach on two of its machines on Sunday. Following the breach, FreeBSD.org was taken offline, and although most of it is back online now, some deprecated projects are being removed. The FreeBSD project has not been able to confirm the existence of trojans, but users are advised to be vigilant about the possibility.
The breach was made possible by a leaked SSH key, which affected a few clusters. This is not a result of a hack, but a classic example of people being the weakest point in security. FreeBSD has stepped up in its efforts to mitigate this risk, and a part of its response reads,
As a result of this event, a number of operational security changes are being made at the FreeBSD Project, in order to improve our resilience to potential attacks. We plan, therefore, to rapidly deprecate a number of legacy services, such as cvsup distribution of FreeBSD source, in favor of our more robust Subversion, FreeBSD-update, and portsnap models.
Although the rogue developer had no access to the FreeBSD base systems, he did have access enough to compromise the third party packages. FreeBSD.org is conducting security audits and will come out with news of possible breaches if any. The full compromise report and safety precautions are available at this page.