Očekivano,
I rekao bih da je ovaj backdoor zapravo bug ili nesigurnost u sistemu github.
jer :
Normally upstream publishes release tarballs that are different than the automatically generated ones in GitHub. In these modified tarballs, a malicious version of build-to-host.m4 is included to execute a script during the build process.
Ili prevedeno korisnik ide na download release paketa, a on ne mora odgovarati onome što je u source kodu.
Doslovno u release možeš staviti bilo kakav malware i nitko ne provjerava.