I would think A Smith's comment here was directed to this interesting bit from the report he cited:
Given the activity over several weeks, the committer is either directly
involved or there was some quite severe compromise of their
system. Unfortunately the latter looks like the less likely explanation, given
they communicated on various lists about the "fixes" mentioned above.
End quote. The issue appears to be a bad actor masquerading as (or being) the real maintainer. There's no software-development or identity management solution to that, it has to be organizational. We're lucky to have software guys as sharp the one who caught this.