I think reputation systems could ameliorate this to some degree. If I could calculate a trust score recursively according to a list of people I trust personally, that would be a step in the right direction. 6 degrees of jblow. The more people with low trust scores contribute to a project, the more the project-level trust score falls or is diluted. I would have different levels of safety threshold for projects (only a trust score above X, or only those on my personally trusted list, or only those 1 degree away). It doesn't stop someone from contributing for years and years and then being offered money to do something bad. It might drive up code quality overall too - there is a lot more riding on your own trust score than just whipping up some buggy Python module and throwing it into the open.

But overall, it does seem like we're in still in a kind of computing salad days/90s extropian hangover, and soon the other shoe is gonna drop (or has, already).