I had the same questions. Still, better to be alert instead of ignoring the threat.
From what I could understand, certain projects on github probably rely/depend on content from other repositories (I assume these are the "dependencies") to compile.
It can happen that a certain repository is infected, and the malware apparently only attacks the computer where the compiled app from that project in particular is run on.
Well, we all know that this is the risk associated with running apps from independent/third party developers, right? Also another reason why some people defend the App Store's walled garden.
One specific point though, they (the ones that found and reported the malware) told Apple in December 2019, and there were at least two security updates issued by Apple. I haven't read the details of them, but probably they've already patched it.
If anything, this case was probably one of they key reasons for why they implemented the privacy notifications on iOS 14 about what each app is doing in your phone with your clipboard data and/or accessing specific private data.
"Design isn't just what it looks like and feels like. Design is how it works."
JOBS, Steve.
READ: Right to Repair sucks and is illegal!