On the follow up Wiz blog they suggested that the exfiltration was cross-victim https://www.wiz.io/blog/shai-hulud-2-0-aftermath-ongoing-sup...

As the sibling comment said, the worm used stolen GitHub credentials from other victims, and randomly distributed the uploads between victims.

Also everything was double base64 encoded which makes it impossible to use GitHub search.