Yes it is. Most likely also in the other part, although link I included doesn't mention any of that. The key appears to be: A large repo with lots of uploaders, some of which guard their passwords poorly.

As long as a FLOSS repo is small and has few uploaders, it'll be safe. Hardly a model for a big and busy repo like the app store, of couse.