UserCompromised 3rdParty AppPublic RepoSensitive RepoInitial state: uninfected User with commit access to both repositories.Use cool tool onPublic RepoOAuth loginAdd CredentialsAccount Ownedopt[ Normal App usage ]Attack at any later timeCommit as User, even "verified" using added credentialsRepo OwnedUserCompromised 3rdParty AppPublic RepoSensitive Repo