GitHub projects targeted with malicious commits to frame researcher (opens in new tab)

Innocent looking PR with eval along with hidden payload? Does this really take a 10x Carmack to spot this one?