Note however that xzutils home page says that "versions 5.2.12, 5.4.3 and later have been signed with Jia Tan's OpenPGP key" so there would have been plenty more opportunities. We may just have seen the beginning. Whoever did this played the long game.
Also note that there was proposed patches by this compromised project maintainer to oss-fuzz and valgrind to avoid the detection of this backdoor.
Note however that xzutils home page says that "versions 5.2.12, 5.4.3 and later have been signed with Jia Tan's OpenPGP key" so there would have been plenty more opportunities. We may just have seen the beginning. Whoever did this played the long game.
Also note that there was proposed patches by this compromised project maintainer to oss-fuzz and valgrind to avoid the detection of this backdoor.