See my other comments on this. I tend to have people focus their cycles on easy targets for supply chain attacks such as libraries where there is no evidence -anyone- is doing review.

Most programming language standard libraries generally have at least some first and third party reviews from large organizations like Google, etc. That may not be perfect, but it makes those a much more difficult target than phishing some student programmers github account.