Three years ago, #FDroid had a similar kind of attempt as the #xz #backdoor. A new contributor submitted a merge request to improve the search, which was oft requested but the maintainers hadn't found time to work on. There was also pressure from other random accounts to merge it. In the end, it became clear that it added a #SQLinjection #vuln. In this case, we managed to catch it before it was merged. Since similar tactics were used, I think its relevant now
https://gitlab.com/fdroid/fdroidclient/-/merge_requests/889
Search improvements: Sort based on keyword matching and removed alphabetic sort (!889) · Merge requests · F-Droid / Client · GitLab
The search results are pretty unusable currently. So I've changed it to show apps in this order: App name matches keyword, summary matches keyword, description matches keyword. Also,...GitLab