You seem to have updated the wording to "has been backdoored by a malicious actor". Isn't that more speculation, with the tentativeness removed? What facts incline you to believe it was a malicious actor, and not the maintainer?
Yes, that's true. And I agree that there is some malicious actor; a bag of Base64-encoded code doesn't get inserted as an innocent accident. But the way you've expressed yourself, more than once, suggests you have reason to believe the malicious actor is other than the maintainer.
Do you have any evidence, one way or the other?
Let's not chop logic. I don't think you've been completely frank about this. The commit was signed by the maintainer, right, using a private key? That means the maintainer "done it", absent evidence to the contrary. And apparently the maintainer is silent.
Apologies; I am not a git user. I thought every git commit was signed, excuse my ignorance. I'm surprised something in PyPi can be shipped without any signatures, but I'm not shocked; I'm not a fan of language-specific repositories. NPM is an example of what I'm not a fan of.
> It is possible the original developer of the package had their account compromised and used by a malicious actor.
> whose maintainer's account was likely compromised by a malicious actor
Seems to still be speculating about the cause without diving deeper into the topic, or is there some cache invalidation of the article that is missing perhaps?
Yes, that would be caching. We kept the first sentence, as it's still possible his account was compromised (we have no strong evidence to prove it, but no strong evidence to refute it either).