In PHP phpass version 0.3.x-dev, 0.3.x a backdoor exists in the phpass package that can be attacked via malicious package update resulting in credential theft