Of course, that's only since the attack was caught early. Since it affected the machines that build packages, a next step could have been, say, to add code to Git to make it ignore certain commit IDs or mask them in some way. Maybe even modify Firefox, Chromium etc to not show those changes on github. With a backdoor like this and enough time undetected, you could control basically everything.