Once trusted code repositories are being turned into malicious delivery systems to harvest credentials and deploy malware – here’s what you need to know.