The presence of an "eval" makes it pretty obvious that there was something going on.

The only clever thing here is putting the code after the GPL text that usually nobody reads.

Does not Joomla community code reviews the contribution to their code base?

The fact that $_REQUEST was used is a huge red flag as well.

edit: I should expand a bit: $_REQUEST is a nono, it should be $_GET or $_POST depending on the request. The actual badness of request is that it also contains everything in $_COOKIE as well.

As I mentioned in the article the code was inserted into a good core file from Joomla as part of a malicious attack. Thanks for the comment.

This was found on a deployed instance, rather than in the main Joomla source repository or download? The article doesn't make this clear.

They just fixed. I saw the same problem on zendesk (video attached): http://news.ycombinator.com/item?id=5185484

Their "Move fast, break things" motto may not go along well with your product. When you add Facebook's Javascript on your page you trust them that they will not make something dumb... but sometimes they do.

I am happy to be building the startup (BloomBoard) that Colorado is using to assess the quality of their teachers =)

I would even pay $50 a year if Google stopped making "improvements" to the UI. The new composer looks nice at first but it slows me down when I need to use different fonts, etc AND they removed background color AKA highlight. I do not use Evernote just because they do not have highlight... and now they decided to removed it from Gmail too. If it is not broken, don't fix it :-/