alt Hacker Newshttps://en.wikipedia.org/wiki/XZ_Utils_backdoor
https://medium.com/@aleksamajkic/fake-sms-how-deep-does-the-...
https://blog.linuxmint.com/?p=2994
https://www.bleepingcomputer.com/news/linux/malicious-packag...
https://www.cnx-software.com/2021/04/22/phd-students-willful...
I could go on but I trust this is a sufficient number of examples.
Only two of these were actual malicious commits. Two others were malware inserted into the repositories (if Twitter could be thought of as a meta-repo), which is bad but not on the same scale.