TL;DR there was a backdoor found in the XZ program. All major distros have been updated but it is recommended that you do a fresh install on systems that are exposed to the internet and that had the bad version of the program. Only upstream distros were affected.
One still could hide something in source code. I think we need to just be more security aware in general. Having source code isn’t useful if someone deliberately put a security hole in it