[goohle]

You can trust community as the whole, because uses it own product. Community will protect itself, so you, as regular user, can benefit from that for free. No community - no protection, because the owner of a package is not a user of the product.

[amir-h]

A person that had at some point control of a widely distributed toolchain binary (say a compiler, linker, or even a build tool) can trick an entire comnunity.

[Kalium]

You're absolutely right! You can trust that a community, given sufficient time, will act to protect itself in the long-term and thus individual users. This just might not always be the same as every user being maximally safe at every point in time.

Case in point that gets at both: malicious python and npm packages stealing credentials. They were caught and handled, but not before hitting some people.