Folks - just heard of a vulnerability in apparently all git clients where if you’re using a case-insensitive filesystem (e.g. Windows or OSX), somebody could overwrite your .git/config directory, resulting in running commands on your local box.
Short story, upgrade your git clients. More info here: https://github.com/blog/1938-git-client-vulnerability-announced John