I don't think many in this forum will fall for the latest social engineering trick, and it's for standalone not MU, but I wanted to mention it.
There is a fake WordPress 2.6.4 out there now, that backdoors cookie contents on successful login to a webserver for later compromise. It appears that the site has been taken down for now.
The offending site (typo squatting): http://www.wordpresz.org
See the screenshots:
http://blogs.zdnet.com/security/?p=2129
Also from the WP forums:
http://wordpress.org/support/topic/214908
Not sure how they managed to inject the upgrade alert into the dashboard feeds. Seems like it might be a Windows-based DNS attack. Why bother 'forcing' the upgrade if they have already poisoned DNS?