University of Minnesota published a paper about vulnerabilities being introduced to open source by malicious actors contributing commits. They did this by intentionally introducing bad code via merge requests to the Linux kernel, leading to vulnerabilities. Some of the 190 commits have even landed in stable branches.
Ethically, this is an unacceptable behavior for experimentation, and has been reported to the UMN Institutional Review Board on these cases. Ethics complaints have also been filed to IEEE to have the publication revoked, but it’s unlikely that it will be. They’ve also been banned, as a University, from contributing to the Linux kernel, as well as from communicating through many Linux kernel mailing lists.
Their experiments prove that humans are fallible. Good job, folks.