Greg Martyn
it looks like one of the the xz maintainers was actually an attacker
https://arstechnica.com/security/2024/03/backdoor-found-in-widely-used-linux-utility-breaks-encrypted-ssh-connections/
Backdoor found in widely used Linux utility targets encrypted SSH connections

Malicious code planted in xz Utils has been circulating for more than a month.

Ars Technica
Mar 29, 2024 at 8:22pmWeb