[prmoustache]

> Or maybe not?

This.

It is just slightly more difficult and longer to target it in a large company because you usually have to actually be hired by that company and do not necessarily have the choice of the team/products you will be working on.

But adding backdoors and vuln, yes totally possible on random products that person would be affected to. There is review fatigue the same way there is fatigue in a lot of processes.

[PinguTS]

> It is just slightly more difficult and longer to target it in a large company because you usually have to actually be hired by that company and do not necessarily have the choice of the team/products you will be working on.

There are lots of examples at almost all the fortune 500. Because they do not sneak in as just some random employee.

Cisco is very well known for backdoors in their equipment.

[azurezyq]

Adding a backdoor is not the difficult part, leaving no trace is. People don't know who you are on github, but it's easy for top name companies to track who created the backdoor in great detail. Actually the power of tracing real person is one of the the best defenses.