How much money do you think a nation state has to spend on exploiting an OSS library? More or less than the owner of the OSS library? There's your answer.
Furthermore, of course Glasswing participants are scanning their dependencies as well. Why would you think they aren't!?