I just saw a notification that an xz-utils distribution got backdoored (apparently by a contributor, based on what little information I've found). The compromise is in the configure script.
Just as I predicted back in 2009. I did write that I wasn't very afraid of authors backdooring their software. Apparently I was too trusting, though actually I think it was more like my forgetting that some software has many authors.
I'm slightly surprised it took over fourteen years for it to happen (and be noticed). I guess too few black hats read my blah.
In this case, I'd prefer to have been wrong.