It's one of few times where i'm glad i choose conservative distro like Debian. It's also crazy it took months before it's detected.
Didn't Debian import it in their packages as Ubuntu?
I just checked my Debian device and it seems they include
xz by default. But based on my experience, Debian usually is slower to upgrade their package compared with Ubuntu LTS.
Basically it contains a backdoor to completely bypass your SSH authentication. All signs point to it being planted by a malicious actor running the project. It is undetectable by sanitizers and fuzz testing tools.
I bet state actor? Maybe CIA or similar.
A rare case of an open-source project being compromised... imagine if this happens to a Bitcoin wallet.
I can see that could happen on unpopular wallet software or library used to sign transaction. Imagine if someone compromise signing library to create signed TX with specific
k value range.