Actually not. I'm the maintainer of a popular Open Source project that is hosted on Github. If someone stole my credentials, they could replace the current release with a binary containing a Trojan.
Looking at the security history page I see a lot of failed login attempts. Makes me glad I enabled 2-factor-authentication!
It's a great way to distribute Open Source software. (Previously Mattt hosted it on a personal Amazon S3 account which he paid out of his own pocket; now bandwidth is generously paid for by Github)
I don't know about you, but I seldom read through all the source code of the open source/free software I use. Yeah, even when I actually compile it myself.
If someone would slip in rogue code - it's quite likely some to many would actually run it and deploy it. Especially if it's a fast moving piece of software - like being so rapidly developed that distribution packages can't keep up for either time or stability reasons, leading people to compiling/deploying from source themselves.
Looking at the security history page I see a lot of failed login attempts. Makes me glad I enabled 2-factor-authentication!