The Git Project addressed a critical remote code execution vulnerability
The vulnerability allows remote code execution during processing of a recursive "git clone" of a superproject if a .gitmodules file has a URL field beginning with a '-' character.
Git 2.19.1 has been released with a fix that addresses a vulnerability in Git that can cause arbitrary code to be executed when a user clones a malicious repository.
In order to be protected from the vulnerability, we recommend all users to update GitHub Desktop, Atom, their command-line version of Git, and any other application that may include an embedded version of Git.
Until the update, it is also recommended to avoid submodules from untrusted repositories.