Wondering how open source stays [at least somewhat] safe? I recommend this mind-opening presentation from Cristina Muñoz on systematically detecting malware attacks in the Python Package Index (@PyPI):

https://www.youtube.com/watch?v=28BoQLWKGWw&feature=youtu.be&t=246

(More about the speaker: https://keybase.io/xmun0x)