Apparently there’s a bunch of projects getting hit with this, fairly obscure ones though. Project gets forked, suddenly get a pile of stars more than the original, and then there’s a curl-bash pipe inserted into it that runs some ransomeware that encrypts ~/Documents.
About a dozen other projects linked in here from another developer (excuse the Reddit link): https://old.reddit.com/r/golang/comments/1jbzuot/someone_copied_our_github_project_made_it_look/
This isn’t really a supply chain attack. It’s more social engineering: fake users, forks, and non-verified code. They’re taking advantage of the fact that most people don’t use verified releases or packages code from open source projects.
GitHub is not compromised, nor sending unintended payloads.
Many of the projects are backend dev tools, like the Atlas provider linked in the thread.