DDoS'ing github because you trojaned a source tree calls attention to the fact that you did it. Only the dumbest of all hackers would do such a thing and that is almost certainly NOT what is happening here. When you trojan a source tree, it only becomes useful after your intended victim downloads and installs it, which can take months or even years.
If the project has mostly "commercial" developers then chances are they work on it during the week. DDOS GitHub during the week and let off for the weekend. That gives a few days worth for your trojan to be downloaded by the unsuspecting. People will also have tired hearing about the "github news" so new news about trojaning will take a little longer to disperse.
If there is such commercial product, it would have been self-hosted. Not GitHub.
MongoDB and all the drivers https://github.com/mongodb
Mixpanel analytics libraries https://github.com/mixpanel
Yahoo YUI and various other JS related gunk https://github.com/yahoo
Shopify ecommerce libraries https://github.com/Shopify
Engine Yard tools & utils https://github.com/engineyard