[lb4r]

Wouldn't it be easier (since they probably have very skilled programmers working for them) and way, way more effective to just set up a team and create a quality open source project with one or two extremely stealthy backdoors?

Or just pay or threaten a struggling company or dev to insert them?

[underscoring]

its all about ease.

easier to clone and infect existing ones. what you are describing might be effective but would be orders of magnitude more time consuming.

cloning and infecting provides 100x more opportunities because these are already popular repos

as to paying or coercing someone, again it costs time and money. far easier to just abuse this loophole

[gitaarik]

How would you secretly hide something like that in FOSS? And why would that be easier? It's seems to me that it's easier to inject into an existing company than to do all the work yourself. This is what they do with most things as I understand.

[Lt_Riza_Hawkeye]

The heartbleed vulnerability was hidden in plain sight for the better part of a decade, no?

[gitaarik]

Yes, but that was a memory leak, giving access to unauthorized random memory. That is not an intentionally created exploit / backdoor which gives the owner easy access to the victim's system.