to me: the most chilling thing is that someone involved in the open source ecosystem introduced this vulnerability and, if it was intentional, what else did they do?