The Segwit2x development team added to the projects Github repository an implementation allowing BTC1 nodes to be masked, making it more difficult for Core 0.15 nodes to identify them. It is said that, and I quote "this officially makes Segwit2x a Trojan horse as it allows anyone to run 2x nodes in disguise.".
Can anyone explain? Is it a vulnerability of BTC ?
From my understanding of the situation, it is not necessarily a malicious thing, but has the potential to become one.
The change in the code is apparently done so that they can initiate the fork and not be stopped from the initiation process by being disconnected from the network in the process.
However, they will suffer consequences from this implementation, since they will then have a harder time connecting between themselves on the B2X network (the B2X nodes will have a harder time finding each other).
Where there may be consequences for legacy bitcoin is that the coins on the 2 networks may become "stuck" together, with risks of replay attacks, etc.
It is certainly not a best-practices approach and everyone should be careful around the fork with spending their coins (better hold off until the water settles).