Firstly, the security patch was already published by the ACF team, and that wasn't the code that was pushed. This was a package takeover, slug, reviews, users, everything:
People woke up to their website being updated to “Secure Custom Fields”, an alternative (or a fork) that's not fully compatible. Here's one such report from HN:
https://www.advancedcustomfields.com/blog/acf-plugin-no-long...
People woke up to their website being updated to “Secure Custom Fields”, an alternative (or a fork) that's not fully compatible. Here's one such report from HN:
https://news.ycombinator.com/item?id=41830709