What a blunder.<p>I think even the worst static code analyzers would have caught this.<p>Looking at the code that was injected by an attacker it seems like they were trying to extract user sessions and exfiltrate it.<p><a href="https://programming.dev/post/532566" rel="nofollow noreferrer">https://programming.dev/post/532566</a>
I found myself asking the same thing: <a href="https://news.ycombinator.com/item?id=36662195">https://news.ycombinator.com/item?id=36662195</a>