The socket.dev deconstruction of the worm (https://socket.dev/blog/shai-hulud-strikes-again-v2) suggests that the destructive actions on GitHub were not part of the malware itself.