It's usually not possible to prove that something was put in deliberately and maliciously, so that puts the bar very high. We know it for sure in some of the supply chain attacks, and should assume that other kinds of bugs are being introduced by malicious actors across the board, rather than to risk downplaying the issues to "just blunders".
www.korrektesoftware.de