I understand why the author(s) of the analysis of the backdoor being distributed by this project decided not to notify upstream first since it looks like either the upstream is the compromise or at least are compromised themselves, so reporting here first would have done nothing except give the culprit time to wiggle. But the cat is out of the bag now and I see comments all over the place pinging the author. I think it's high time a bug report here notifies people following this tracker there is an issue. Also this serves as a request for a postmortem. Either this project has members that are bad actors or the members have themselves been deeply compromised. Most evidence seems to support the former. If there is evidence of the latter I suggest getting it out there post-haste.