If the project has mostly "commercial" developers then chances are they work on it during the week. DDOS GitHub during the week and let off for the weekend. That gives a few days worth for your trojan to be downloaded by the unsuspecting. People will also have tired hearing about the "github news" so new news about trojaning will take a little longer to disperse.
If there is such commercial product, it would have been self-hosted. Not GitHub.
MongoDB and all the drivers https://github.com/mongodb
Mixpanel analytics libraries https://github.com/mixpanel
Yahoo YUI and various other JS related gunk https://github.com/yahoo
Shopify ecommerce libraries https://github.com/Shopify
Engine Yard tools & utils https://github.com/engineyard