This was so clever and done with such low time preference, starting at least three years ago, it makes you wonder if they had multiple attempts at this type of attack using different packages sock puppet accounts? Also hilarious that a Microsoft developer discovered a major Linux backdoor attack.

https://arstechnica.com/security/2024/04/what-we-know-about-the-xz-utils-backdoor-that-almost-infected-the-world/