The community can only read the source code, as of yet. All of the source code has been provided by a set of internal developers.
The fact that it is open source means that, if somehow two malware elements have made it into the source code, then someone will eventually report it. But this doesn't mean that two malware elements cannot be there right now.
These two malware hits on total virus scan should be communicated to the developers.
Thanks