I noticed this in Bruce Schneier's latest Crypto-Gram issue: <https://www.schneier.com/crypto-gram...1215.html#cg12>.

It seems that, someone was given the right to administer a module which is part of an Open-Source project and, used that right to push some malware on to that project's users …
he emailed me and said he wanted to maintain the module, so I gave it to him. I don't get any thing from maintaining this module, and I don't even use it anymore, and havn't for years.
Apparently, you don't want to take any responsibility for this package. That's fine, it's the free community, do whatever you want. But at least indicate somehow that you're not maintaining this repo anymore, e.g. archive the repo
AFAICS, the question is, “How does an Open-Source community protect itself against the misuse of the community's resources?”

IOW, is it sufficient to have a control instance which inspects all the code submitted to the community's repositories?

How much trust do we have to place in the sources of the code in the community's repositories?