100% with you. Anything that builds from the first try is 100% malicious. No real software builds without 5-30 tweaks of the makefile. And anything on npm/pip is malicious with a fixed chance that you have no control over, as seen in this attack.

But the data remains: no supply chain attacks on libc yet, so even if it COULD happen, this HAS and that merely COULD.