https://boehs.org/node/everything-i-know-about-the-xz-backdo...

This is the scariest part to me:

> A pull request (https://github.com/jamespfennell/xz/pull/2) to a go library by a 1Password employee is opened asking to upgrade the library to the vulnerable version