Its worth any maintainer to be familiar with these methods to build up defences. With a few sock puppet accounts a single person could do it on their spare time. A nation state or criminal full time enterprise could do several attacks.
It's scary and immoral but I find it fascinating too. Like the dark side of the how to win friends books.
Just the quotes:
https://news.ycombinator.com/item?id=39909905
Very long page but a lot more in depth. Search for “Jigar Kumar pressured Lasse Collin”
https://securelist.com/xz-backdoor-story-part-2-social-engin...
And an overview:
https://en.wikipedia.org/wiki/XZ_Utils_backdoor