Attackers have injected exploit code into the downloadable software for the WordPress blogging service.
The open source software allows users to set up and publish postings to a blog. The company has issued an update that repairs the vulnerability.
Hackers broke into the WordPress download server early last week and embedded attack code into the 2.1.1 update of the application.
The malware opened a backdoor on infected systems that could allow an attacker to execute code and install software.
WordPress founding developer Matthew Mullenweg said on a company blog that the infected software was offered to users for three to four days as an official download before the company was alerted to the breach.
"This is the kind of thing you pray never happens," said Mullenweg. "But it did and we are dealing with it as best we can."
Security vendor Symantec said that it had uncovered fewer than 50 attacks exploiting the backdoor. The firm rated the threat as 'low-level' because of its limited reach and easy removal.
WordPress is recommending all users to upgrade to version 2.1.2 of the software, and has urged administrators hosting WordPress blogs to prevent access to the 'theme.php' and 'feed.php' files that are infected by the attack.
Some parts of Atacama have not received rainfall for 500 years - but a sudden deluge of water upset the Desert's delicate biological balance
Spitzer Space Telescope could not spot Oumuamua, suggesting that it is actually pretty small
Greenland crater one of the 25 largest impact craters on Earth
This long-sought progenitor star was identified in an image captured by Hubble in 2007