Evil bits could just as easily sneak into Keepass if the author wanted to. It would require someone else constantly auditing all commits along with verifying binary builds posted on the website match the current source's compiled output.
Edit: my above comment is just to prove a point. We put trust in a lot of the software we run. Software being open source does provide some safety, but very very few people will go through the effort to make that verification.
Edit: my above comment is just to prove a point. We put trust in a lot of the software we run. Software being open source does provide some safety, but very very few people will go through the effort to make that verification.