This is happening with high value crypto companies with large security teams. Imagine what happens when OSS maintainers are asked to work on GitHub repositories with malicious code as part of fake job interviews?

If its not insider access then might as well hack an OSS maintainer and publish malicious open source package that everyone depends on to reach your target organization.