It was possible to merge malicious pull requests and execute arbitrary Ruby codes on users' machines.
