GitHub is being abused to distribute the Lumma Stealer information-stealing malware as fake fixes posted in project comments. […]

from https://www.bleepingcomputer.com/news/security/github-comments-abused-to-push-password-stealing-malware-masked-as-fixes/