The back door is in the upstream GitHub tarball. The most obvious way to get stuff there is by compromising an old style GitHub token. The new style GitHub tokens are much better but it’s somewhat intransparent what options you need. Most people also don’t use expiring tokens. The authors seems to have a lot of oss contributions, so probably an easy target to choose.