While anything is possible, one thing for sure is that your site was compromised.
Please remain calm and carefully follow this guide.
When you're done, you may want to implement some (if not all) of the recommended security measures.
Please do not post any malware code in these forums. If you are convinced that the plugin was compromised on the WordPress repo, please send the details privately to plugins@wordpress.org and they can investigate it.