"So we can trust open source modules?

It's reasonable to expect you can trust something more if you have access to the source code, but you'd need to read and understand it, and the wider implications of what the code does. It's likely easier for someone to find a problem with open source software by virtue of having the code, e.g. very recently cPanel CVE-2026-41940, Shai-Hulud Themed Malware Found in the PyTorch Lightning AI Training Library.

"There was a recent blog-/reddit-post about hundreds of pull requests produced by AI and accepted within a week."

The grift existed in the 'before times', including https://lore.kernel.org/lkml/202105051005.49BFABCE@keescook/, AI is just making this worse, cURL end bug bounty, cURL - death by a thousand slops.