I'm impressed that people are advocating reviewing all dependencies. It's admirable, but I have to wonder...
It seems like you might be able to spot incompetently written code, but for malicious code, one has to assume it is hidden away in the last place you look.
It also seems really inefficient if everyone would review all their dependencies. Tens of thousands of people would review some libraries.
It'd be nice if reviews were more public. One might have more faith in a package if one knew it had been reviewed by 20 others before. But then how do you trust the reviewers?
As for open source, I don't feel that's the problem. At least with open source, you get the chance to do reviews.
As a fun fact, I once found that a library I wanted to use had a bunch of code encoded as whitespace (tabs, spaces, newlines), with two lines to eval it. There wasn't even any malicious code, someone just obfuscated it for the fun of it...