It was on development branches. The threat actor was trying to delete development work.

Their main branch was already protected. I don't think it makes sense to protect every single branch in a repo? Since not all devs will have the ability to turn this off