They'd be visible, if it was noticed. Bugs get introduced to OSS all the time just because sometimes it's hard to review code 100% accurately. Replace bugs with truly malicious code and the same applies.

If you told me I use OSS on a daily basis that has some sort of malicious code that slipped though the cracks, I'd believe it just due to the shear amount of code running on any machine.

Only if someone looks at the code.