Similar things happened in the past to the Arch's AUR repository and not only one time. Something like that was also on github as well and not that long ago, as I remember correctly.

Interesting. However, with a project that relies on string concatenation for producing SQL queries rather than prepared statements – this kind of thing is to be expected, most likely it was an honest mistake. The issue was also fairly obvious, someone attempting to introduce it maliciously should have expected it to be caught.

@WPalant Because the submitter deleted their account as a response to the review, I think it could be an deliberate attempt to insert the vuln. Plus all the attention from random new accounts. If it had been a normal review process, I could see how it could have been an honest mistake. But that scenario also makes it more attractive to the attacker, since making a mistake there is quite plausible, and could serve as an easy cover story.

@WPalant It sounds like the person got frustrated and left the project after trying for four months to have their changes approved. From reading the thread, I don’t blame them.