Ah yes, the Ken Thompson hack. It's possible in theory, but I don't think anyone is seriously worried about it.
One way to mitigate the attack: if your compiler is open source you could compile the compiler with multiple (open source and proprietary) compilers, then compile your application code using the resulting compiler binaries in the deterministic build process. If the resulting application binaries match, then either none of the compilers are compromised, or all of them are. The latter seems highly unlikely.
Also, open source software compiled by the user would be just as vulnerable.
One way to mitigate the attack: if your compiler is open source you could compile the compiler with multiple (open source and proprietary) compilers, then compile your application code using the resulting compiler binaries in the deterministic build process. If the resulting application binaries match, then either none of the compilers are compromised, or all of them are. The latter seems highly unlikely.
Also, open source software compiled by the user would be just as vulnerable.