Just wanted to bring this to everyone’s attention if you hadn’t seen it already.

Developer discovered a backdoor in xz-utils