Yes. The first such occurrence I know of is sufficiently old that it precedes the terms open-source and free software, dating back as it does to a time before people had realised that software could have monetary value independent of the computer on which it ran, and therefore tended to share all software.
As is documented in the Wikipedia article on backdoors, Ken Thompson implemented an attack described by Karger and Schell in 1974 by modifying the C compiler distributed as part of UNIX (which everyone got from him, he being one of the original authors). The attack came in three parts.
- The maliciously-modified compiler recognised when it was being used to recompile the UNIX login programme, and inserted a backdoor login known only to Thompson.
- Moreover, the compiler recognised when it was being used to compile itself, and inserted the vulnerability into the compiler executable so produced; thus it was not possible to detect or remove the vulnerability merely by inspecting the source code for the compiler.
- Finally, the malicious compiler also modified on compilation the binary disassembly tool supplied with the system, so that anyone using the standard tools to examine the executable forms of these programmes would also miss the vulnerability.
Thompson revealed this in his 1983 Turing Award acceptance speech, Reflections on Trusting Trust. Although he only wrote the code as a proof-of-concept, Wikipedia notes that
It is believed ... that a version was distributed to BBN and at
least one use of the backdoor was recorded. There are scattered
anecdotal reports of such backdoors in subsequent years.
