Without addressing the specific attack you link, there is no doubt that opam is susceptible to much simpler “supply chain” attacks involving only the canonical opam repository and its processes. See Opam-repository: security and data integrity posture for some discussion.
For those that aren’t familiar, the biggest headline from that IMO is that opam releases are not immutable (i.e. authors can update the contents of a previously-published library release) as a matter of policy. This means that a malicious actor can land a payload into a library consumer’s build even without that consumer e.g. changing the version number their project depends upon.