[tremon]

That's only half of the trusting trust-attack though; the other half is being able to make the compiler compromise propagate itself, i.e. not just inserting any backdoor in compiled code, but inserting itself in any compiler built using the compromised tool.

[selfhoster11]

Mobile and Electron apps often weight hundreds of megs. That's enough data to hide an entire classic-style OS in the spaces between the data. While I don't know whether someone did insert such a recursive compiler, they certainly can do it unobtrusively enough that it doesn't raise any suspicion.