The compromise was introduced via a governance proposal, and the Tornado Cash Developers confirmed the compromise, urging users to withdraw old deposit notes and token holders to cancel their votes for the malicious proposal.
Source: cyware.com