Yes, this particular part, it's also very ingrained, like older versions of cocoa pods (a dependency management tool) had an attack vector where while building you your app a malicious actor could inject dependencies you didn't even ask for, it's fixed in recent versions, but it was active for years, and developers didn't even know they were shipping malicious apps to their users.