The attacker was trying to compromise agentkit and found changed-files used in the repo so looked around. Found that it was using a bot with a PAT to release.

Totally possible the bot account had a weak password, and the maintainer said it didn't have 2FA.

They got the release bot PAT so they tried possibly quite an obvious vector that. They didn't need anything sophisticated or to exfil the credentials because agentkit is public.

It just so happened that it was detected before agentkit updated dependencies.

It's possible that with if thye had checked the dependabot config they could've timed it a bit better so that it's picked up in agentkit before being detected.

edit: Although, I don't think PATs are visible after they're generated?