As @lillylizard pointed out, it turns out that these are new packages, not comprised existing packages like I first thought.
Still, the nature of the hack is a Remote Execution, as you pointed out elsewhere, meaning the hacker could pull my router password from the password manager, or grab my SSH keys and log into whatever machine is listed in the known_hosts, or just mess with my Ebay account and the credit card saved on there. The hacker could in theory do literally anything I could do.
Whether or not SteamOS installed them is irrelevant. All the hacker would need is to compromise a machine that had some sort of remote access to other devices (ssh in this case, with some sort of keylogger to decrypt the private key).
You are not compromised unless you specifically installed one of these 3 packages on one of your machines:
- librewolf-fix-bin
- firefox-patch-bin
- zen-browser-patched-bin
The packages were only available for download for 3 days, and the only way you could have installed them is if you explicitly typed one of the package names into your terminal within those 3 days.
Did you do that? If no, then you are not compromised.
I had the regular librewolf-bin package installed on a couple of my machines. It took me a bit of time to note that librewolf-fix-bin is something separate.