Nice little Dune reference in there: The malware installs a Github action if it finds an access token, and names it 'shai-hulud-workflow.yml'. Shai Hulud is the Fremen term for the sandworms on Arrakis.

I if you think that last week attack was s1ngularity that can be related to wormhole, now we get this shai-hulud that is actually a worm. Funny right? They are similar attacks also. This funny coincidence was described by someone at Aikido Security.