On March 11, 2025, the attacker used the stolen PAT to invite another dummy user (jurkaofavak) into SpotBugs, who pushed a malicious GitHub Actions workflow that exfiltrated another PAT belonging ...