All the reasons that lay the blame for the node-ipc debacle at the feet of “open source” are, surprise, surprise, bullshit.
First of all, it was the creator himself who altered his own software. Guess which other licenses allow changing _your own_ software? ALL OF THEM, regardless of whether it is open sourced or closed and proprietary.
Secondly, I think nobody will find controversial the affirmation that, the fact that researchers had access to the source code (BECAUSE IT WAS OPEN SOURCE!) facilitated identifying the offending and neutralising the offending snippets. Imagine how much harder that would’ve been if all they had had to work with were a bunch of compiled binaries.
So, no, open source did not facilitate the sabotage of node-ipc. In any case it made it easier to detect and solve.
The problem is how lazy, clueless and/or overworked implementers download and apply updates without checking and sanitising them; how node.js just lets you do that; and how lazy, clueless and/or biased tech-journalists will take any and every opportunity to take a potshot at FLOSS.