The xz backdoor should've been a wake up call for everyone subscribing to the classic cargo cult that "malware can't exist in open-source software". All the payload was submitted through auditable code that was cleverly concealed from review.