> Please be careful when revoking tokens. It looks like the payload installs a dead-man's switch at ~/.local/bin/gh-token-monitor.sh as a systemd user service (Linux) / LaunchAgent com.user.gh-token-monitor(macOS). It polls api.github.com/user with the stolen token every 60s, and if the token is revoked (HTTP 40x), it runs rm -rf ~/. (It looks like it might also have a bunch of persistence mechanisms. I haven't studied these closely.)
Jesus, that's vindictive.
I could imagine this might also be to try cover its tracks. If it gets 40x it means it's been found, time to nuke everything it can.
Maybe gH could, accidentally, 40x for a few minutes globally and eradicate the beast?