It's entirely possible to ship malware in source form... Just look at the numerous supply chain attacks. Nix is a cute project but entirely irrelevant here.
Burning an identity? Instead of hacking the server that serves the binary, you have to hack the developer's machine and commit a malicious source change.
I wouldn't consider either of them to burn an identity.