This attack reminds me of the Copay backdoor in an NPM sub-sub-sub-dependency. But this is next level. The partially lived in the code, added by "just some tests" commits - that didn't contain executable code.

They were then activated by something the rogue maintainer snuck into the release binaries. nostr:note159ur4n6p7nm88h6xes29klhtftg0wfkeljy3lf3nnzu2r9qaerhs3xugec