I have just read an article from a white-hat hacker who had successfully trigger remote code execution in major technology companies.
The idea is not that difficult to understand. Essentially a lot of software nowadays are built on different libraries, some public and some private, and there are various packaging mechanisms (like npm, and a few others mentioned in the article) that will help automatically ensure that you are always pulling and updating those libraries timely through buildbots and other DevOps tools.
In large tech corporates they don't just use publicly available libraries, but they build their owns as well, also packaged as "private" repositories so that the packaging tools would work and hence, their DevOps toolchain will continue to work.
But those tools may not necessary ensure that the private and the publicly available library repositories are picked up correctly. What if there suddenly exist a public repository with the same name as the private one? In the article, it explained that some of these tools will pick up whatever with highest version number.
So if you craft such a library with higher version number, your code will be injected to those libraries.
The rest (like how the author use DNS exfiltration to get the necessary data back) are standard stuff.
Large tech corporates will be able to fix this easily, but for the rest of the world with less resources, less capable security staff who knows deep technology (or vice versa), it will be way more difficult.
Maybe its time to consider a switch in career?