MaJoC the Filk wrote: Malfeasance in FLOSS is more likely to be spotted...

I wonder if it would be spotted if it were contributed by the project's core contributors? To take the analogy of the Linux Kernel, if Linus and his top team added suspicious code, would anyone notice?

Fortunately, security of OSS code is belatedly receiving some attention - and funding. But there are still gaps. This just today:
Boffins rate npm and PyPI package security and it's not good

Just yesterday I wondered where a Python thing I was about to install came from and who maintained it. But I installed it anyway. After all, it was mentioned on Stack Exchange, so it must be OK!

But a small one installed some other how could call home

Yes. But challenging on an air-gapped machine!