Is it possible for let's say open source programs to install malware at compile time? I'm thinking of C macros or makefile related stuff that will execute evil code at compile time. Or am I safe as long as I don't start running the compiled program?
Consider that the makefile is essentially just a list of commands to run. So take for example the idea that you could distribute malware source code in a makefile project. Then when you build the project, the makefile goes and compiles the malware... and then at the end, executes the newly-compiled malware -- say for example pretending to run a unit test on what you think is not malware.
It's certainly possible.