[puffybuf]

It doesn't even have to be a server like ssh. It could be a client side project engineered to somehow deliver all your ssh keys or bitcoin wallets. There is no reason backdoors couldn't stealthily phone home from client side applications.

[andix]

The crazy thing about the xz issue was, that xz is not even a dependency of openssh, but of systemd. And the xz backdoor exploited the systemd integration of openssh. This exploit was invisible to people that tested plain openssh without one of the most common integrations into Linux.