You… should probably pay more attention to the news.
It is very possible for bad actors to inject malicious code into an open source project. And it is very probable for people to not notice because the vast majority of developers never read a single line of the open source code they claim to value so much.
“Any bad code will be detected by the armies of people who do rigorous code analysis of every single pull request” was always nonsense.