Gregory's ServerI would like the #infosec community to think about this:
Let us assume the persons behind Jia Tan are doing this for a living. We know that at least one person is doing it for at least two years and that "xz" was far from being a full time job. A lot of know how is reusable, but not the code (could be easily detected).
So how many projects did the person(s) infiltrate in that time?
My personal guess is that that number has more than one digit. We can only pray it was a gifted amateur who did this as a side hustle.