tl;dr Build and deployment scripts are in a git repo. A pull request is made modifying the build and deployment scripts. When the pull request is opened a build is started to run tests etc. The modified build script deploys a malicious file live to production. twitter.com/xssfox/status/136228…