Spam is not a problem GitHub has ever had to seriously face so far but this sort of attack does seem like it could catch some users casually googling for libraries.

If you impersonated all these real repos, made npm, pypi packages for them etc and also updated the readme I think you could catch some people off guard.