Some projects have reproducible builds.

This means that you can take the code as it was on say, August 22 on Github, build it, and get exactly the bit-by-bit binary they published. This usually takes some work because the exact binary varies depending on things like versions of compilers and dependencies, and requires the absence of anything that could vary, such as timestamps being built into the output.

Without that, the easiest way is to just build it yourself, then you can trust that what you built is what you looked at.

If you suspect something, then a skilled developer can build their own binary, then compare it to the officially published one and see what’s different and where.