A trojan hidden inside lookalike GitHub exploit code turns the habit of testing new proofs of concept into a credential-theft and remote-control risk.