The xz infiltration is a proof of concept.

Anyone who is comforted by the fact they’re not affected by a particular release is misguided. We just don’t yet know the ways in which we are thoroughly screwed.

This is a huge wake up call to OSS maintainers that they need to review code a lot more thoroughly. This is far from the last time we’re going to see this, and it probably wouldn’t have been caught if the attacker hadn’t been sloppy