They can exploit binaries too eg see this vulnerability in github https://www.wiz.io/blog/github-rce-vulnerability-cve-2026-38...