This won't be the last sophisticated and methodical OSS supply-chain attack. The actor(s) behind xz are probably already learning their lessons ahead of their next attempt. Indeed, xz might not be the only attack they had in progress.
The next one is going to be more carefully operated and harder to spot. How are we going to stop it?
Npars01