Wow, right after I posted that, I found out that the same account that introduced the xz backdoor also introduced a vulnerability into libarchive in 2021!
It wasn't caught until two days ago, and only because the xz backdoor happened to get caught.
So yeah, more evidence that this happens more frequently than people realize.
Source: https://boehs.org/node/everything-i-know-about-the-xz-backdoor