I'm not exactly sure what you mean, but this kind of report regularly pop up. Try searching "pypi malicious package" or "npm malicious package" and you'll see lots of results.
I tend to see more of them from say the last week in July to the 2nd week in August. And they are extensively discussed at the hacking conventions.
Could just be I am paying a bit more attention around now because I am looking and listening to that stuff more. Or, do the reports slow down a bit a while before as people 'hoard' the vulnerabilities.
Someone would really have to dig into the reporting dates over a number of years and do some statistics (neither of which I am going to do) to prove or disprove it.
-Dave