Re: Why only now?
Because, as the article points out, that requires time and money, something small projects like PHP don't have.
This is not the first malware injection in a Linux repository and it won't be the last. Ultimately, Google's solution of creating their own canonical version with no direct outside commits allowed may be the future. Although having it maintained by Google would be, shall we say, suboptimal.