https://www.osnews.com/story/139064/bac ... ompromise/
This story is absolutely wild, and gets wilder the more you read about it.
Short version: https://xkcd.com/2347/
Slightly longer version: a compression library (liblzma) and utility (xz) used by a lot of Linux package managers (and for many other applications) was backdoored upstream in a way that banked on the library being preloaded by SSH on major distros to enable an optional feature when using SSH with systemd. Most rolling or unstable Linux distributions (i.e. continuously updating, not holding back package versions) are affected, and servers running them with public facing SSH could be accessed remotely while the bad versions of the package are installed. This was all accomplished through a number of fake software developer accounts, one of which stepped up to help maintain the package when the original maintainer was having some crises. Other fake developer accounts pitched in to promote the compromised versions of the package and generate pressure to merge the bad commits. Furthermore, this started two years ago. Furthermore, an account associated with the same bad actor was involved in another library (libarchive) and got a vulnerability merged into the codebase, so libarchive can also be considered compromised. That was also years ago.
Currently, Github has blocked all access to the xz repo due to its compromise with malware violating their TOS, and the entire thing is being investigated by several US intelligence agencies.
This is, I cannot convey enough, an absolute fiasco. I have been doing Linux tech work on and off for a decade, and this is the wildest shit I have ever seen bar none.