There are serious cyber security implications here that people are sleeping on
No, there are not.
At most, if they decide to kill the project by adding malicious code they can affect Lemmy itself. 99% of users don’t run Lemmy (which is where the “quiet exploits” would run), and the frontend simply doesn’t allow you to have a serious impact, unless you think they will stumble upon a browser 0-day and they decide to burn it by committing the exploit to an open source repo instead of selling it for millions (or use it elsewhere).
What’s with the fearmongering? Their stance is crystal clear since ever.
possibly even fork the Lemmy repos
Right, and who maintains the fork? Who, among the large population of external contributor, I mean?