Many open source projects attain a level of “maturity” where no one
really needs any new features and there aren’t a lot of new bugs being
found, and the contributors to these projects dwindle, often to a single
maintainer who is generally grateful for developers who take an
interest in these older projects and offer to share the choresome,
intermittent work of keeping the projects alive.
Ironically, these are often projects with millions of users, who trust
them specifically because of their stolid, unexciting maturity.
This presents a scary social-engineering vector for malware: A malicious
person volunteers to help maintain the project, makes some small,
positive contributions, gets commit access to the project, and releases a
malicious patch, infecting millions of users and apps.
This is apparently what happened
to event-stream, a widely used tool that was compromised by a
crypto-currency stealing attacker who gained commit access, poisoned an
update, and then locked the project’s owner out.
Urocyon's Jaunts 2.0 