Public secrets exposure leads to supply chain attack on GitHub CodeQL