This is a fairly silly topic, but I'll say two things:
1) If the CIA or NSA or whoever contributed source code, we would review them like any other patches. Period. If they're committing illegal activities or whatever, that's something for the courts to rule on, and is no business of ours. Our goal (of MediaWiki developers) is to make good software, nothing else. Someone working for Microsoft was trying to get commit access to work on MSSQL a while back, too, and we weren't going to hold it against him. As for adding subtle "tell the NSA about Wikipedians' browsing habits" stuff, I very much believe that anyone who would review the patches would be competent enough to spot deliberately malicious or obfuscated source code before committing it.
2) If the CIA or NSA were hypothetically distributing modified MediaWiki binaries to third parties (PHP compilers do exist), that would be illegal, since MediaWiki is only licensed under the GPL, and so they would have no legal right to distribute binaries without full accompanying source code. I'm sure they would immediately stop once this was pointed out to them, and either stop distributing the stuff outside their own organizations or provide the source code. Of course if you believe that they're illegally infringing everyone's rights left and right with no oversight, you might think they wouldn't stop and we would all disappear in the middle of the night if we tried to formally complain. I guess we'll see if it happens.