That's some next-level incompetence:

1. Allow poorly-vetted third-party tools to run in CodeRabbit's privileged environment. The exploit used a Ruby code analysis tool that was probably written 15 years ago and meant to be run locally by trusted developers, who already had access to /bin/sh.

2. Ask for coarse-grained permission to access and modify others' code without any checks.

Either of those by itself would be bad enough. The future looks bright for black or white hats who understand computers.