I updated phpMyAdmin from 4.7.9 to 4.8.0 the day before yesterday. Although they wrote that ‘it is possible to install phpMyAdmin from our own Composer repository.’ on the official download page, I still uses the manually installation in my own way. After updating, I was surprised with a folder named tmp in my phpMyAdmin root directory. But it’s not a malicious but a proper one by phpMyAdmin.
We can know that phpMyAdmin uses Twig by default from the version 4.8.0 according to the conversation among the members of phpMyAdmin developers on GitHub.
When its first running, phpMyAdmin creates Twig templates and caches them to the temporally folder (The default place is phpmyadmin/tmp or you can config it by adding
$cfg['TempDir'] = TEMP_DIR; to the config.inc.php.) Sometimes the tmp folder is not create automatically due to the server settings. In this case, you need to create a tmp folder and set its permission manually. See Configuration.
I think it is better you set the tmp out of an accessible area from the Internet if you use Windows OS because you cannot set an extra permission on it.