* Claude hooks
* Gemini hooks
* Cursor setup
* VScode tasks
It adds all of the above to execute node .github/setup.js, an obfuscated file.
Check infected: `rg --hidden --no-ignore 'node .github/setup.js`
It spreads by adding mimic'd skip-ci commits to open PRs which then get merged.
Payload is obfuscated, available on request.
If this is already a known one in the world, apologies, it hit us at around 10PM BST last night, the damage would have been incredible.
Still trying to identify the original source.