Code review just means you need an accomplice. It makes it harder, not impossible.

> But this would show a complete lack of code review, no?

You'd be surprised how many websites use Google Tag Manager to allow their marketing department to roll out trackers and other JS snippet directly into the site's root context.

GTM et al's sole reason of existence is to provide marketing people with a way to bypass corporate IT.

And I definitely would not rule out something like this being the cause in the end.