Sure, generally speaking, people who try to break into computer systems for profit do not have a lot of overlap with people who spends lots of time writing open source software for fun.
But in this case it is not hard to imagine that the XZ-perpetrator came from the second group, right?
Edit: I mean, this wouldn't be that different from when Ken Thompson demonstrated how to do a hidden backdoor in the C compiler?
But in this case it is not hard to imagine that the XZ-perpetrator came from the second group, right?
Edit: I mean, this wouldn't be that different from when Ken Thompson demonstrated how to do a hidden backdoor in the C compiler?