Anybody using Webmin, a web-based
system-administration tool, will want to update now, as it turns out that
the system has been
backdoored for over a year. “At some time in April 2018, the
Webmin development build server was exploited and a vulnerability added to
the password_change.cgi script. Because the timestamp on the file was set
back, it did not show up in any Git diffs. This was included in the Webmin
1.890 release.“

Source: LWN.net – Backdoors in Webmin