To ensure that there isn't a repeat of the incident, the developers say they plan to re-implement the PGP/GPG signing of releases; a later posting in the forums says this has now been implemented. The developers do note that only the one file, Unreal3.2.8.1.tar.gz was affected; the Windows versions, earlier releases and the code in the CVS source code control system are unaffected. The advisory also contains details on how to check installations for the backdoor, with MD5 checksums for the "bad" and "good" versions of the archive or, if the archive is not available, a simple way to check the source code using grep.
The link for this article located at H Security is no longer available.