Replace "coffee shop" by "software conference hall" and "specific lib" by "current log4j/junit/whatever very common library you want".
Suddenly it's a lot less targeted attack. Moreover, the "victims" should be of much higher profile than your regular student downloading an obscure library whose repo you managed to hack.
Not that I think it's a particularly important security concern. However, when you are dealing with security concerns, the fact that you can't make up a situation that sounds bad enough doesn't mean that nobody else can't.
Update: sorry for the wording of the last sentence (non-native speaker here). I'll be glad if someone can correct it, because I can't figure out how to construct it to sound well.
Suddenly it's a lot less targeted attack. Moreover, the "victims" should be of much higher profile than your regular student downloading an obscure library whose repo you managed to hack.
Not that I think it's a particularly important security concern. However, when you are dealing with security concerns, the fact that you can't make up a situation that sounds bad enough doesn't mean that nobody else can't.
Update: sorry for the wording of the last sentence (non-native speaker here). I'll be glad if someone can correct it, because I can't figure out how to construct it to sound well.