Credit:
The attacker appears to have figured out how to insert javascript into Reddit comments: thus, hovering over such a comment is all it takes to spread the exploit. We're not aware of anything being downloaded to your machine at this point: only a XSS attack that posts the troublesome comments in your name.
At the time of writing, Reddit is offline.
Update: contrary to the first version of this post, it appears your old comments are not overwritten: the attack only spawns new ones. We'll update as we learn more.
Thanks to @harknesslabs for the tip-off.