A proof of (the bloody) concept has been presented:
https://securityintelligence.com/news/gitpwnd-shows-how-threat-actors-could-hijack-git-repositories-in-software-development/
https://securityintelligence.com/news/gitpwnd-shows-how-threat-actors-could-hijack-git-repositories-in-software-development/
Quoting:
"[The PoC] could be used to communicate malicious commands from threat actors. As proof, they developed GitPwnd, an open source penetration testing resource that takes advantage of popular services such as GitHub, GitLab or BitBucket.
"[The PoC] could be used to communicate malicious commands from threat actors. As proof, they developed GitPwnd, an open source penetration testing resource that takes advantage of popular services such as GitHub, GitLab or BitBucket.
Security Affairs explained how such attacks would work: Cybercriminals could use something like GitPwnd to host their Git repositories on GitHub, for instance. Then, as commands are sent to an infiltrated system, they could be easily disguised as legitimate traffic coming from a software developer, which use the same transport layer for legitimate work."