To be honest, it wouldn’t take much for distro maintainers to detect that and stop it

But who is seriously looking at the sudo code at every update. I would bet a lot of money that the vast majority simply trust him and gloss over it maximum.

The chain of trust has to exist otherwise distrobox maintainers would spend 24 hours a day reviewing code changes and only update once every 6 months.

You may want to look into how the xz backdoor has been discovered. That backdoor was very well hidden. Implementing a crypto mining malware would be blatantly obvious and yes, people do in fact look at such code