A reasonable person would expect many more open source projects have been infiltrated and have similar exploits waiting to be found. Hard to prove until the next one is found, but if a second one like this is discovered we probably have a huge problem on our hands.
Since the part that takes longest is getting commit rights and there's a lot of waiting to do, what are the chances the attackers put all their eggs on infiltrating one specific project? I'd be trying to infiltrate at least 10 or 20 even if I were alone, to increase my chances. If you dedicate one or two years to build reputation with the current maintainers by doing a PR here and there, you can do that for a few projects in parallel.
I'm not saying it was a bad target. It was a perfect target. How many more would fullfil these criteria? Those would be the type of repositories I'd go and investigate.
For there to be another repository affected by the same attack you don't even need to think this specific attacker did it twice. You can just consider that multiple attackers had the same idea. I think it's way more likely that there's more repositories affected by the same type of attack than not.
I'd go as far as saying this is an issue of national / global security and there's space for an agency like the IMF but for software security that would be funded by all the countries of the world to bring more resources and assuredness to this type of dependencies.
Because even if this attacker didn't do more than N=1 and other attackers didn't have the idea before, they surely have it now.
Yes, this has happened. See this example from OpenJSF:
"The OpenJS Foundation Cross Project Council received a suspicious series of emails with similar messages, bearing different names and overlapping GitHub-associated emails. These emails implored OpenJS to take action to update one of its popular JavaScript projects to “address any critical vulnerabilities,” yet cited no specifics" [0,1].
I watched the TC interview with Durov (Telegram) and apart from it being a big Telegram ad what struck me is that he told a story about his employee being approached by "an intelligence agency" and asked to reveal information about what open-source libraries they use.
It is kind of strange since their apps are supposed to be open source, maybe he meant the backend? Nonetheless, it seems this has been their modus operandi for a long time.
Remember that NSA is openly interested in systemd and how it works. It's a double edged sword. They wanted to be sure that it's hardened as they like it, and note any "useful features" that might come handy later.
The thing is, as computers proliferate and we start to use them in more places, the effects of possible holes moves closer to our homes. From distant infra to near infra; from borderlines to our homes and transportation we use everyday. Even to our pockets via smartphones and other smart devices we host in our homes.
I would start with projects where the maintainer(s) suddenly got a very helpful contributor. I am sure there's a typical pattern. Then if a maintainer seems suspect investigate a little bit more. Here some balance is needed because probably many maintainers are not Mallory.
Since the part that takes longest is getting commit rights and there's a lot of waiting to do, what are the chances the attackers put all their eggs on infiltrating one specific project? I'd be trying to infiltrate at least 10 or 20 even if I were alone, to increase my chances. If you dedicate one or two years to build reputation with the current maintainers by doing a PR here and there, you can do that for a few projects in parallel.