it's a backdoor, not a bug
The code shown in the github writeup looks like a deliberate backdoor to me. I mean, the user passes you a pointer to a function, and you call it - no trickery of any kind is involved, no logic subtleties, no unintended interactions between calls. This is not something you write by mistake.