On the contrary, this wouldn't even need to be hidden if it was closed source. It was caught because it's open source.

Possibly, but some of the solutions proposed, e.g., monitoring of network activity, would work either way.

It concerns me that one of these sat out there for a year.

But it's not like malicious activities could only involve the network. Also, it's possible to obfuscate network activity and hide such things among legitimate traffic.

> It concerns me that one of these sat out there for a year.

Certainly it being open source doesn't guarantee that someone will notice such things, but it raises the probabilities. It could have been like that longer if it were closed source.