Update: we have discovered more attempts from the same hacked account on the same date (January 7). These were less easily visible, because they were not done on branches that belong to pull requests.
Most important is a successful insertion of malicious code to the master branch of the plone.app.mosaic add-on, by editing and force pushing this commit. This has not made it into a release. But if you have been developing on the plone.app.mosaic code since then, you may be affected.
This instance, and all other instances that we have discovered, have been dealt with, either by undoing the malicious change, or by closing the branch/PR.
You should check your GitHub account to see if any Personal Access Tokens (PATs) are there that you don't recognise. Go to Settings, scroll down to Developer Settings, and there check the Personal access tokens. Delete ones that you don't recognise.
In general it seems wise to regularly check this, also on other (developer) sites that you may be using.
Today we have taken precautions on the GitHub plone org to prevent force pushes to default and maintenance branches and to tags. These precautions are active on all repositories. In many cases, individual repositories already had such branch protection rules in place, but not all of them.
Force pushing to feature branches (like for pull requests) is still possible, as this is a normal way to keep a clean git history. If you are reviewing a pull request, GitHub will show if a force push has happened. You should check if this is expected or not.
In the collective GitHub organisation we have no way to set these rules globally. If you have an add-on there that you feel responsible for, you should check if such branch protection rules are in place. If not, please add them.