Source in git has the malicious binary, though. A malicious committer did it, not just anyone.