I want to point out that they could similarly hire someone working at microsoft, or get someone up for a position there, to do this and it would be at least as hard to detect...
Large companies like Microsoft assume that there are advanced persistent threats that are willing to place HUMINT inside of their companies. The companies have dedicated internal teamd focused on detecting them.
For example, Twitter recently fired someone that was leaking information on dissidents to a foreign government.
You could, but it would be more difficult (though easily within the ability of the NSA).
To contribute to the Windows kernel you'd have to get someone hired by Microsoft, who presumably check their employment history (maybe), they have to actually go and work for Microsoft, etc. Obviously none of that is impossible but it's also obviously much harder than sending a patch to a mailing list.
Or you find someone who already works there who's having an affair and blackmail them into working for you. It's no different to how spies have operated for centuries.
