It hides the malware's trail, and disguises which keys were leaked, making rotation harder
The socket.dev deconstruction of the worm (https://socket.dev/blog/shai-hulud-strikes-again-v2) suggests that the destructive actions on GitHub were not part of the malware itself.
alt Hacker News
The socket.dev deconstruction of the worm (https://socket.dev/blog/shai-hulud-strikes-again-v2) suggests that the destructive actions on GitHub were not part of the malware itself.