heres a video that explains it
https://www.youtube.com/watch?v=jqjtNDtbDNI basically the OG maintainer of liblzma, xz-utils etc... started the project as a hobby, a fuck ton of corporations, open source projects, every linux distro used it as a dependency. He was the only maintainer and was under a ton of pressure, he had no help maintaining, no financial help etc and was having mental health issues.
You can read the mailing list, its sad. A person there was brutally rude telling him to give the project up because he wasn't moving fast enough (which is just insanely out of touch and rude) so he passed it off to the only other person who was committing to the project, and that person slowly introduced commits that very intentionally added a backdoor.
but anyways the new person used a few inconspicuous commits using tests and a couple of test archives that contained a binary object file and some dormant code that he cut out and used to add a hook into the build pipeline that injected this object into the main library. Its likely imo that the code is just a hardcoded RSA key, potentially allowing this person to SSH into any machine that exists with that library (which is a metric fuck ton).
This could have easily been avoided by following the bus rule and if the people who relied on open source libraries like this had provided code or money so that people like this don't get driven into the ground. Its only a matter of time for this to happen with libraries like these and it would be very easy for malicious actors to exploit that by gaining trust and then slipping backdoors into core OSS libraries over time by targeting undervalued, overlooked and down right abused developers of vital libs. Something needs to change.
