>Unless they specifically hardcoded a back door into the game, I’m dubious a leak would result in an RCE so quickly, if ever.

AFAIK, parts of the source code have already been leaked since 2018 amongst certain circles outside Valve. It's only been in the past few days that this is now common knowledge.

I'm assuming that whomever leaked the code modified it and added a remote exploit to the codebase and that's what folks online are referring to. Happens a lot with shady non-scene type of warez.

So that would affect people who got the code, setup their build environment, built that code and then ran it??

Yes, if this is in fact true and not a rumor I would expect so. No one else other than folks pirating and running the leaked code is affected.

Allegedly there's already an exploit in the wild that lets you open a popup in game to all other players in a server. You can find screenshots if you look around the /r/tf2 subreddit.

"allegedly" means nothing and screenshots are so easy to fake, it's 2020. I want to see concrete proof of this alleged exploit.

I remember a custom CSS server doing this. The admin would fire off some command and a typical in-game browser window would show that would immediately go to a site the admins ran that hosted audio files. One would start playing. You could turn it off but they could push out the link again.