[tyingq]

Browser extension maybe? Did you or your partner look at the newly created repo in a browser right after creating it?

I could see an extension watching for git like listings with json files named like wallets and fetch()ing them when they appear.

Easy enough to recreate, test with the devtools tab open.

[Stevvo]

You just gave me a scary idea. Everyone has Metamask set to auto-update. If somehow an attacker could get a compromised update pushed out it would not be pretty.