I'm curious if he reported it in any other way (www.github.org/security/). IMO, if you report something, and no action is taken, it's understandable if someone does an exploit like this, although not strictly ethical or right.

A global source code repository is one of the more terrifying targets on the Internet; imagine subtle compromise of various libraries...