Comment by arp242

You're overestimating the amount of auditing these distros do for the average package; in reality there is very little.

The reason these compromised packages typically don't make it in to e.g. Debian is because this all tends to be discovered quite quickly, before the package maintainer has a chance to update it.