Both the Ars Technica and securelist.com articles say "Debian", with no mention of "Ubuntu".

Given how much Ubuntu has ridden atop the shoulders of Debian, without much acknowledging it, it's a shame that "password-stealing Linux malware" is labeled as involving "Debian".

Would be nice to have numbers on how much each distro ended up infected.

The ars article says “debian package”, which is a file format. It doesn’t mention any distributions.

dupe: https://news.ycombinator.com/item?id=37486946

Yup, was posted earlier

Is anyone surprised a file called "free download manager" was malware? Anyone that lived through Kazaa isn't surprised :)

It's a supply chain attack.

Title says it took 3 years..

It's just a classic mathematician's answer: https://tvtropes.org/pmwiki/pmwiki.php/Main/MathematiciansAn...