This may need defining what you consider to be malware, as well as its scope. If an upstream package was compromised, and they made a release containing a malicious artifact, that could be picked and package by downstream distributions. Although in that case one could argue it is should be considered malware or it isn't a feature of Foobar program 13.0 that it <does evil things>.
Actually, just embedding some malicious code in the binary of upstream release would not be enough, since Debian will compile the package from source, so the malware should be present in the source code (the source code could embed a binary object, it would produce some automated warnings, but that might be missed by the Maintainer, so it's certainly a possibility). Ubuntu does the same as well for most packages, although that might not be the case for Restricted or Multiverse.
The most similar case I can think of is when Jamie Zawinski (JWZ) made its xdaliclock program run backwards after 31 Dec 1999 midnight, in a way that it looked like a y2k bug. He added on purpose that feature in a bunch of obfuscated code a long time in advance, so distros would picked the version with that easter egg by y2k epoch.
There was a post by JWZ telling that story, but I have been unable to find it. His current blog 'only' goes back to April 2002, it isn't mentioned either on xdaliclock page and general searches have failed me as well. ☹