>you would have to methodically worm your way into a community over time, participating on IRC, helping contribute innocuous changes to other packages, training new users, and so on. You'd then have to apply for the ability to upload, having demonstrated both skill and the ability to work with other members of the community, as well as the need for permission to upload a specific package. This process would take months or years.
sure. or you find somebody who's already done that and pay them some money.
And then, even if they're tempted by the large amount of money, they probably get caught pretty quickly and get banned. Again, even if you can use another person's account to reputation launder, it's still a very transparent platform that's hard to pull stuff like this on.
The usual process for this with mobile apps is not to pay someone a lot of money to ship malware, but rather to buy the person's account, app, and the source code outright. This has the advantage of not having to be explicit about what you're up to, gives the original developer plausible deniability, and gives you way more control. Plus it makes reputation laundering way easier and since the app is still closed source you can make any changes you want without anyone being the wiser.
All of this is completely different from how community supported repositories are run.
sure. or you find somebody who's already done that and pay them some money.