Apparently no one read the article, Dependabot was not compromised, no one accepted legitimate looking PRs, or anything else like that.

API tokens were stolen and then commits were made that spoofed dependabot's name and style to avoid further scrutiny.