I have to ask: were they not properly reviewed when they were first merged?

Also to assume _all_ commits made by UMN, beyond what's been disclosed in the paper, are malicious feels a bit like an overreaction.