[3np]

TL;DR: These are forks by unknown people containing malware. I see no indication in the linked thread of even a single successful compromise actually occurring, or malicious code making it into legitimate upstream projects.

[ache7]

Here is a commit with malicious code from a Microsoft employee:

https://github.com/promonlogicalis/asn1/commit/7bdca06d0edf8...

[raggi]

That commit was rewritten from https://github.com/Logicalis/asn1/commit/d60463189a563e49f19... which was signed, but is not in the fork.

[ache7]

Damn, github should show some big visible warning about this.

[3np]

As long as the commit is not signed (marked green), that means nothing.

[vladvasiliu]

This is interesting. If you go to that user's profile, and look at the "contributions", there are none in July / August. Yet the commit is from two days ago.