| ▲ | ChoosesBarbecue 5 hours ago | ||||||||||||||||
> Please be careful when revoking tokens. It looks like the payload installs a dead-man's switch at ~/.local/bin/gh-token-monitor.sh as a systemd user service (Linux) / LaunchAgent com.user.gh-token-monitor(macOS). It polls api.github.com/user with the stolen token every 60s, and if the token is revoked (HTTP 40x), it runs rm -rf ~/. (It looks like it might also have a bunch of persistence mechanisms. I haven't studied these closely.) Jesus, that's vindictive. | |||||||||||||||||
| ▲ | mediaman 4 hours ago | parent [-] | ||||||||||||||||
I could imagine this might also be to try cover its tracks. If it gets 40x it means it's been found, time to nuke everything it can. | |||||||||||||||||
| |||||||||||||||||