And these aren't compromised projects, they are repos created by the "attacker" if you can even call them that. Of course anyone can push malware to their own account. The author admits this in the thread:
> The attacker creates FAKE orgs/repos and pushes clones of LEGIT projects to github.
Pure scaremongering and/or attention seeking.
Edit: Sorry, I posted two similar comments because my first top level one was immediately downvoted to the bottom. It has since come back up.
> The attacker creates FAKE orgs/repos and pushes clones of LEGIT projects to github.
Pure scaremongering and/or attention seeking.
Edit: Sorry, I posted two similar comments because my first top level one was immediately downvoted to the bottom. It has since come back up.