They did fuck up quite a bit though. They injected their payload before they checked if oss-fuzz or valgrind or ... would notice something wrong. That is sloppy and should have been anticipated and addressed BEFORE activating the code.

Anyway. This team got caught. What are the odds that this state-actor that did this, that this was the only project / team / library that they decided to attack?