@BrodieOnLinux I wonder what software could that be.

>

This results in a modified liblzma library that can be used by any software linked against this library, intercepting and modifying the data interaction with this library.

This sounds like a two-part attack. First compromise the library, and then “wait” for an update or so of another software using that library.

I wonder in what other application the attackers managed to hide the code that does the malicious things.