• WolfLink
    link
    fedilink
    arrow-up
    10
    ·
    8 months ago

    The malicious code wasn’t in the source code people typically read (the GitHub repo) but was in the code people typically build for official releases (the tarball). It was also hidden in files that are supposed to be used for testing, which get run as part of the official building process.