The risk is much lesser, but there's the possibility of poisoning the binaries or release package.
There's also the whole "just because open source allows people to review code doesn't mean that they do" problem, but I don't expect that attack vector to be used by state actors because it would make the beneficiary of the attack too obvious to the public.
There's also the whole "just because open source allows people to review code doesn't mean that they do" problem, but I don't expect that attack vector to be used by state actors because it would make the beneficiary of the attack too obvious to the public.