If a virus was hidden in opensource code, here is what would happen:
a) if the project itself had a virus hidden inside it from version 0.0.1, somebody would notice because the code is available to the public and report it to the service, and the service would remove it. Just like that.
b) if a developer added a virus in a commit, the project leaders or other developers would notice it and roll back the changes.
And just one thing, Linux powers about 85% of servers, and 462 out of 500 fastest supercomputers. And Linux is open source. Are all those NASA and Google computers filled with viruses?
This is for you,
(I'm opening comments for this one.)