Scary.
Alright, so ever since the finding ended up on Hacker News, I've been digging into a blog every day, uncovering more and more about the attack. I'm baffled at the layers of tricks and deception that the attackers used.
Now I keep following this Github Gist
I don't know what else to say other than... Whoa...
One little anecdote that hit me the other day was related to how the attacker "obfuscated" the build scripts for the backdoor:
I was complaining about C++ build system's complexity and how unergonomic it is to work with them. And this post explaining the attack shell code just made me recall that little rant I had...
I'll update the following list with interesting links I found: