I trust the big projects: LibreOffice, Tomcat, Debian, Openmediavault.

But let's be clear: I have never done an audit myself and I'm totally not capable of doing it. I can program a bit but this is over my head. If a one guy project is overtaken by a bad actor, I wouldn't know. This has happened by the way, I don't remember which project it was, but it was pretty big - openssl or something.