Is reddit inherently insecure? I mean, anyone could post anything there! Which... isn't that the point of software repos? They are just a place to store data. What data is being stored there and how safe or effective it might be are issues of trust and reputation. The article talks about how vulnerable a repo is because a single developer being phished can lead to compromise. It doesn't even address the larger potential rug pull scam that is possible. What happens if a major framework decides to go scorched earth and burn their reputation for a quick attempt at a payout? The article summary makes a few points about how can we do more to protect things, but all of them are only targeted on making sure the version you are getting is the one you expect. There is nothing in there about suitability for purpose or the inherent security or trustworthiness of the code itself.
The entire open source movement is predicated on the Many Eyes theory. Which, is just a theory and more a question of philosophy. Do you think we're all largely trying to work together, or is it all dog eat dog out there? And what are the alternative? Do open source developers need to hire independent auditors to review their code and check for back doors before they are allowed to push new versions? Which just leads to the Who Watches the Watchers problem. Where you expect software security to come from? Who is responsible for it? Is it all caveat emptor or should there be some requirement around manufacture or publisher? And who should pay for it under the free software model?
As a developer, this all seems like click bait nonsense. Source code is just source code. Trusting it without reading it is a risky prospect. And that's before you take into account the broader issues explored by Ken Thompson in his Reflections on Trusting Trust which scared the hell out of me the first time I read it. An exploit in my security frame work is bad enough. But what if someone smuggles it into my compiler? Or the hardware I run the compiler on? Or the hardware or operating system I run the application upon?
Software paranoia aside, we have come a long way since the Morris Worm bug went on a rampage or left-pad vanishing reminded everyone that trusting your build system to third part repositories can cause issues. Could we do more? Of course! But like most developers, I'm just a wage slave or an unpaid volunteer. So I will stick to whatever security policies my employer requires and otherwise do my best and continue to assert: All services are provided "as is" and provide no warranties of any kind.