The recent XZ hack is quite an impressive long con hack on a carefully picked open source project, slowly gaining trust and then getting hidden malicious code signed. Glad this was found early and did not land into debian LTS, would have been quite bad. Check out the tldr video or jfrog post mortem: