What's really gonna bake your noodle later on is, how many times has this happened before and nobody caught it?
Discussion
Wow, right after I posted that, I found out that the same account that introduced the xz backdoor also introduced a vulnerability into libarchive in 2021!
It wasn't caught until two days ago, and only because the xz backdoor happened to get caught.
So yeah, more evidence that this happens more frequently than people realize.
Source: https://boehs.org/node/everything-i-know-about-the-xz-backdoor