I think the really scary part is the particular modus operandi that this demonstrates, that is easily repeatable. A malicious actor builds up a reputation in the open source space and eventually takes ownership of the release process at which point a backdoor is inserted.
There is absolutely nothing that would suggest this hasn't happened before or will not happen again.
Imagine a state actor offering retirement money and a plane ride to a non-extradition island nation for a few commits. Assuming the contributor is using a VPN already, no one would know they were adding surreptitious backdoors in their code.
The only solution is to scope security relevant functions and add a multi stage formal verification process before freezing the commits. This assumes no collusion.
There is absolutely nothing that would suggest this hasn't happened before or will not happen again.