For me i feel the attack vector is Public repo > infect by merge > github runner picks up and gets infected > and github action (from a repo) that then runs on runner getw effected
Take the JS file and decode it! Decoded execution chain ----------------------- 1. Outer layer: - Starts with try{eval(function(s,n){...})([large numeric array].map(...).join(""),1)) - Converts numeric character codes…
For me i feel the attack vector is Public repo > infect by merge > github runner picks up and gets infected > and github action (from a repo) that then runs on runner getw effected
Take the JS file and decode it! Decoded execution chain ----------------------- 1. Outer layer: - Starts with try{eval(function(s,n){...})([large numeric array].map(...).join(""),1)) - Converts numeric character codes…