I suppose you think the maintainers shouldn’t have scrutinized those files? Please tell me it’s a joke.

The person who added the malicious blobs and signed the compromized archives was literally a maintainer of the project.

Ok, go ahead and scrutinize those files without looking at the injection code that was never in the repo? Can you find anything malicious? Probably not - it looks like random garbage which is what it was claimed to be.