Reuters found mobile apps for the U.S. Army and CDC were using software from Pushwoosh, a Russian company that claims to be US-based. A fact not in that story: in 2013, a Pushwoosh developer admitted authoring the SMS stealing Pincer Trojan for Android.
P.S. Back in spring, we built a small tool to evaluate OSS projects based on the contributors' profiles. With RepoMetaScore, you can evaluate open-source projects by looking at their contributors' profiles and reduce supply chain attacks coming from "untrusted" sources.