Yeah just look at the xz lib supply chain attack that happened recently.

Something like that probably happens all the time with nation-state actors inserting subtle vulnerabilities into open source software.

Go to any major lib GitHub and look at how many PRs get merged with superficial or even seemingly no review.