Ouch. Clever, and simple, hack. Social engineering FTW.
How about an optional mechanism where an established github dev can be shown to have vouched for a new maintainer? A la web of trust?
Tons of holes, yes, but better than scammers just freely trawling the owners of no-longer-maintained popular repos.