Several servers belonging to the Debian Project, maintainers of the Debian Linux distribution, were compromised and subsequently pulled offline last week.
The compromise was revealed in a posting to the debian-announce mailing list, with tech news blog Slashdot.org picking it up shortly afterwards.
"This is a very unfortunate incident to report about. Some Debian servers were found to have been compromised in the last 24 hours," the posting read.
Attackers compromised four servers, including those responsible for maintaining the project's bug tracking system, mailing lists, Web, Common Versioning System (CVS), security downloads and others.
"Some of these services are currently not available as the machines undergo close inspection. Some services have been moved to other machines (www.debian.org for example)," the statement added.
The servers appear to have been brought back online at the time of writing.
Debian had been due to release a new point release of Debian GNU/Linux, which had already been distributed to "mirror" sites for download. The updated software was not compromised in the breach.
"This update has now been checked and it is not affected by the compromise," the group's statement read.