Not sure we're talking about the same thing. By validation I mean of identity. On proprietary software , before an attacker get inside access to the code, they would have to interview, get hired, submit (presumably, fake) document id, provide (again, presumably, fake) bank details, etc. This attacker just had a GitHub account and email, as far as understood it.
But, as I said, maybe tricking a sub contracting company into hiring you is not as hard. I remember working with contractors whose faces I've never seem on video, let alone in person.
I didn't think of "identity" in this sense, but I don't see this as a show-stopper either.
On my current jig developer churn is not high, yet I've only recently met developers hired 6+ months ago. I know first-hand only a handful of the committers I see. Barely know the most common commiters. I generally do watch commits of the trees/projects I'm interested into, but I'm a minority, and such behavior wouldn't catch something similar to the xz situation unless I'm absolutely lucky.
This also ignores the fact that you can just as well corrupt a current employee.
You might not know them, but HR does. No way your employer is sending them money every month without a reasonable degree of certainty that they are who they say they are. Or, at the very least, that they aren't 3 hackers in a trenchcoat.
And corrupting an employee doesn't sound that easy, either. I mean, we do get paid above average.
That still leaves shit third party contractors and compromising employees computers/accounts, though.
But, as I said, maybe tricking a sub contracting company into hiring you is not as hard. I remember working with contractors whose faces I've never seem on video, let alone in person.