My guess with what happened is that they were downloading to /var somewhere and messed up a variable name when they called unlink() to remove their temporary data, which when running as root would delete the symlink of /var to /private/var. It wouldn't be caught if they weren't testing without SIP enabled, on older macOS versions, and rebooting as a part of the test suite.
E.g. I'd put a dollar on this being a variable naming bug, where they called unlink(temp_dir) instead of unlink(temp_dir_where_we_put_stuff), with the former being "/var".
E.g. I'd put a dollar on this being a variable naming bug, where they called unlink(temp_dir) instead of unlink(temp_dir_where_we_put_stuff), with the former being "/var".