Yep, but if the virus did not show on recompile then it must be one of the below scenario:

1. Dev's compiler inserted the malware
2. The dev inserted a malware code right before compiling but did not commit it on github.