Chris suggested what many of us were thinking and covertly working on: finding other backdoors in #OpenSource software.

https://infosec.exchange/@briankrebs/112197571739687377

So since the word is out now...

The xz #backdoor attacker used an email address that had been around for years but never appeared in any breech databases. OK, this happens sometimes.

But all the accounts that appear to be sock puppets also follow that pattern. They pretty much only showed up to comment on one issue from one project.

Starting to see the pattern here? There are many other tells. Not all matches will be backdoors, but these kinds of things will narrpw the search.