The attack involves creating fake commit messages titled “fix” to introduce malware that extracts secrets from targeted repositories and steals passwords from web-form submissions.