With regards to the npm malware fiasco; I don't think it shows a particular flaw in FOSS, the same thing is bound to happen when a proprietary software gets acquired, leadership of the company changes, the profits aren't what they used to be etc.
I do however think FLOSS users need to seriously step up their funding game.