From a recent Wired article:
THE DEVELOPER OF a popular open source package has been caught adding malicious code to it, leading to wiped files on computers located in Russia and Belarus. The move was part of a protest that has enraged many users and raised concerns about the safety of free and open source software.
The application, node.ipc, adds remote interprocess communication and neural networking capabilities to other open source code libraries. As a dependency, node.ipc is automatically downloaded and incorporated into other libraries, including ones like Vue.js CLI, which has more than 1 million weekly downloads.
Two weeks ago, the node.ipc author pushed a new version of the library that sabotaged computers in Russia and Belarus, the countries invading Ukraine and providing support for the invasion, respectively. The new release added a function that checked the IP address of developers who used the node.ipc in their own projects. When an IP address geolocated to either Russia or Belarus, the new version wiped files from the machine and replaced them with a heart emoji.
To conceal the malice, node.ipc author Brandon Nozaki Miller base-64-encoded the changes to make things harder for users who wanted to visually inspect them to check for problems.
Translated to common language, the open source community is motivated by ideology, not money. Since they are motivated by ideology, they constantly need to find “noble causes” and “change the world”. In this case, one such “noble individual” decided that the “noble cause” is to support Ukraine in its valiant struggle for fascism, theft, corruption and enrichment of criminals, and against Russia, and modified a popular open source project by adding malware that damages user data if the IP address is in antifascist countries. The code was base-64 encoded in order to prevent visual detection.
Now – if we have in mind that the supposedly “open source” projects are hardly ever peer-reviewed in normal times, because there are too many projects, and nobody really wants to bother with it because it’s assumed that, because the code is open to inspection, it actually is constantly inspected and reviewed – the fact remains that hundreds or thousands pieces of malware, carefully encoded to hide their real purpose, can be scattered across all sorts of open source projects, maintained by one or two actual developers who do all the work on the project while the “reviewers” will seldom give the source code even a passing glance, those project maintainers are starved for money and therefore easy target for bribery by governments or corporations, they are also possibly sensitive to other forms of pressure/blackmail, and then there are those who are ideologically motivated, in the sense that they, like all godless people, live empty and worthless lives and want to pretend that their lives matter and that they make a difference by contributing to the cause of the day. There’s absolutely no reason why I would assume that open source projects are trustworthy, which means I would have to either personally go through them – for which I lack both time and motivation – or trust someone who will provide oversight, in which case quo custodiet ipsos custodes?
I told the packet manager in the Linux distro I use to list all the installed packages and there were 2147 of them, and I inspected source code in exactly 0 of those. If n (where n,o,p > 0) % of all contributors were sensitive to ideological virtue-signalling, o% were sensitive to money issues and p% were sensitive to blackmail, how many hidden pieces of malware could they have hidden in there, carefully masked by either obfuscation, function by omission or function by interaction with other pieces of the puzzle, which is all very hard to detect?
Basically, if I want something that will work reliably in all kinds of scenarios, Linux and other open source solutions are arguably no better than the proprietary ones; they just have different sets of issues, which is why I try to average-out by using all the available platforms and maintain sufficient proficiency in all of them to be able to instantly platform-hop if one of them is disabled.