Firstly, the security patch was already published by the ACF team, and that wasn't the code that was pushed. This was a package takeover, slug, reviews, users, everything:
People woke up to their website being updated to “Secure Custom Fields”, an alternative (or a fork) that's not fully compatible. Here's one such report from HN: