There is no straightforward way for AgileBits to quietly steal credentials from a specific target --- they'd have to publish an update that did that to their whole userbase, hope the target actually updates, and they would get caught. It is on the other hand trivial for LastPass to do that, for most of their users, because there is a normal usage flow for that product that involves typing a master password into an HTML PASSWORD input.

The problem is not open-source/closed-source so much as it is that convenient, centralized, web-based crypto tools are virtually never safe, and that's the problem LastPass has chosen to try to crack.