I'm seeing the same. Worth flagging that maintainers seem to be a specific target now, not just job seekers. If you've got commit access to anything popular, backdoors like this become a lot more dangerous, because the supply-chain payoff is much bigger than your laptop