I don't mean to pick on your comment, but to respond to a prior comment, you are beginning with a very positive world view and interpreting the events from there.

Lazy API that did not vet a simple backdoor?

Good coders but accidentally pushed the debug version of the API?

I am going to have to say the second option feels less likely (yes, I have been called cynical).

Different confs in the same repo. Many CI/CD tools will pick debug/dev conf by default if nothing else is set.

It was just an example. Maybe they knew.