There is a very interesting writeup at ars technica on a sophisticated malware attack that allowed bad actors to compromise infrastructure that was used to update and distribute Linux. The attack took place back in 2011 which led to 448 accounts being compromised and created a backdoor in OpenSSH that allowed for access to a root shell on infected hosts called Ebury. Ebury was eventually able to infect more than 400,000 servers. Compromised servers were used to create a for-profit botnet.
Here is some additional reading on Ebury and the initial attack vector:
https://attack.mitre.org/software/S0377
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-45467