As widely reported yesterday, somebody had a site running claiming to offer a new version of WordPress – 2.6.4. Some people running older versions had their sites attacked in such a way that the area in the Dashboard that announces such things as new versions alerted them to this spurious and dangerous release, which was living on a now-closed site with a name quite close to WordPress.
More details from Westi:
Or the quick summary: always update your sites when security releases come out. Don’t put it off, don’t think you’ll skip this one and watch where you’re clicking.
The forthcoming WordPress 2.7 will include an automatic update feature (which appears to be working well for most people) which should help with this in future. It’s also looking incredibly good now – if you’d like to join in the fun, grab Beta 2 now. The usual advice about backups or test sites applies, but it’s been very well behaved with my tests so far…
 The Register, for instance