A great post by Ben Hawkes on the then and now of OpenSSH backdoors: https://blog.isosceles.com/openssh-backdoors/

Some highlights:

>In practice though, everyone runs a systemd-based Linux distribution of some sort – in which case you end up running code from around 30 different packages in your OpenSSH address space (including our friends xz and zlib of course). That's already starting to get uncomfortable.

>That means the supply chain integrity for practically everything relies on the integrity of a2hosting.com and the absence of any remote exploits in CPanel or exim.