@falktx Malice is harder, but very much not impossible. Look at the Deepin desktop for instance (I'm not saying they're malicious, but they very well could be, given how they've stubbornly kept introducing deliberate vulnerabilities, and no one seems to have noticed/cared except OpenSuse).
Libcurl is a good thing to point out. I hadn't even thought about that one myself, but it's quite obvious now that you mention it.