Funny how your mayer example is actually proprietary closed-source software. So being an open source project carried by a large community doesn't seem to be an actual drawback -- if at all, a Solarwinds-like attack is far more improbably to succeed in a popular and well run open source project than in the darkness of closed source.
I think of two things, the Solar Winds build corruption, and putty's mishandling of e521 keys.
What is your vulnerability to a similar disaster, exploited or not?