Sadly, this is a lesson that we should have learned some time ago. But from our past failure to learn, we can reliably predict that people will continue avoiding learning.
Supply side attacks are real, and they're here. Attackers attack core developers, then get their code into repositories. As happened this year to the npm package eslint-config-prettier, and last year to the Cyberhaven Chrome extension. Attackers use social engineering to get developers to hand over control of lesser used packages, which they then compromise. As happened in 2021 with the npm package ua-parser-js, and separately with the Chrome extension The Great Suspender. (I'm picking on Chrome because I wanted examples that impact non-developers. I'm only picking on npm because it turned up quickly when I looked for examples.)
The exact social engineering attack described by the OP is also not new. https://www.csoonline.com/article/3479795/north-korean-cyber... was published last year, and describes this being used at scale by North Korea. Remember, even if you don't have direct access to anything important, a sophisticated attacker may still find you useful as part of a spearphishing campaign aimed at someone else. Because a phishing attack that actually comes from a legitimate friend's account may succeed, where a faked message would not. And a company whose LinkedIn shows real developers, is more compelling than one without.
Supply side attacks are real, and they're here. Attackers attack core developers, then get their code into repositories. As happened this year to the npm package eslint-config-prettier, and last year to the Cyberhaven Chrome extension. Attackers use social engineering to get developers to hand over control of lesser used packages, which they then compromise. As happened in 2021 with the npm package ua-parser-js, and separately with the Chrome extension The Great Suspender. (I'm picking on Chrome because I wanted examples that impact non-developers. I'm only picking on npm because it turned up quickly when I looked for examples.)
The exact social engineering attack described by the OP is also not new. https://www.csoonline.com/article/3479795/north-korean-cyber... was published last year, and describes this being used at scale by North Korea. Remember, even if you don't have direct access to anything important, a sophisticated attacker may still find you useful as part of a spearphishing campaign aimed at someone else. Because a phishing attack that actually comes from a legitimate friend's account may succeed, where a faked message would not. And a company whose LinkedIn shows real developers, is more compelling than one without.