When Microsoft Engineer Andres Freund noticed SSH was taking longer than usual he discovered a backdoor in xz utils, one of the underlying libraries for systemd, that had taken years to be put in place. The United States Cybersecurity & Infrastructure Security Agency (CISA) has assigned CVE-2024-3094 to the issue.
Source: InfoQ