Just to clarify the title. It was not a deliberate backdoor on the part of Passwordstate. It was a supply chain attack. There is some history to their security holes (most of the known ones being patched).
https://twitter.com/juanandres_gs/status/1385689464329187329
https://github.com/NorthwaveSecurity/passwordstate-decryptor...
A potential issue in the password management space is that Francisco Partners (owner of NSO Group) owns Lastpass (and LogMeIn).
https://en.wikipedia.org/wiki/NSO_Group
https://www.globenewswire.com/news-release/2020/08/31/208621...
Note: I work in the IAM and PAM space and designed dashboards for saas pass.
Password managers seem to be the most critical software where open source and reproducible builds are needed. Are there any good FOSS password managers that can do remote sync and team permissions?
Bitwarden seems to tick the boxes you need - FOSS license, syncs via an (open source) server which you can host yourself, or use their hosted version, and there's team versions available.
It's pretty good. There's also bitwarden_rs (a rust-based server component) if you fancy a simpler self-hosting stack that doesn't require SQL server.
The solution has been audited, I believe, but audits are only valid at individual points in time. The only downside for me is the use of electron and web technologies in many of the clients - that for me is a huge attack surface of complexity that few people can fully understand and manage.