What if the real long game is to attack anonymous code contribution?
Wow, right after I posted that, I found out that the same account that introduced the xz backdoor also introduced a vulnerability into libarchive in 2021!
It wasn't caught until two days ago, and only because the xz backdoor happened to get caught.
So yeah, more evidence that this happens more frequently than people realize.
Source: https://boehs.org/node/everything-i-know-about-the-xz-backdoor
Discussion
1. Yeah, good luck with that, and
2. It wouldn't solve the problem even if successful
Given #2, it'd be hard to get support.
Here's an example of an attributable attack from more than a decade ago.
https://rigor-mortis.nmrc.org/@simplenomad/112184869681420177