This attack could have been easily averted… If anybody uploads code to a repo that uses some version of rm -rf / that should automatically be rejected. This is basic malware detection. If they had done anything to obfuscate that functionality, we probably would be finding out about this way too late.