Fortify Software is suggesting that the trusting nature of open-source developers has led to some glaring Trojan Horses in their code. The problem with Computer Business Review's analysis ("Is nothing sacred?") is that the very transparency of the problem leads to its erasure in open source. Transparency leads to a solution.
Fortify has identified a new class of bug that is designed to take advantage of the atmosphere of trust that occurs while developers are playing with open source code. It's called "build-process injection," a Trojan horse that allows hackers to insert malicious code into the target program while it is being constructed.
In this case, hackers can surreptitiously replace source code sitting in the repository with an infected version. The result is that the Trojan horse could start doing its dirty work before the application ever gets to test phase, or depending on the design of the malware, at any point thereafter.
I'm not a developer, and understand the problem (a developer comes to trust her code repository and so doesn't think to check it before pulling down code). But the one thing that isn't recognized in the problem or analysis of it is the trust that is required to upload code to an open-source project. It's simply not the case that anyone can do it. The kind of person who would do this sort of thing isn't the sort of person that has the access necessary to accomplish it.
Regardless, I'm willing to bet that a horde of open-source developers with knowledge of the problem will fix it. Exposure leads to solutions; secrets perpetuate them.