Nope. Theoretically it should be happening but it rarely happens. In fact, given the sophistication of this particular adversary, they would have just compromised the build server(and resign the binary) and I doubt anyone goes to the length of verifying the build server builds against some reference.
Maybe we should be, in response to knowing the viability and use of CI hacks?
Ensure you have a reproducible build, then randomly build on a different machine and compare file signatures of the results. Do it every so often with a “clean room” machine. Probably no need to run parallel infra that’s just as likely to be hacked.
