I think it's more about convenience and bypassing filters - developers are already logged in to github, already have access to create repos and publish code, firewalls will allow it. Even fancy HIDS systems will think the git push is rather normal.

If they have a clue, the attacker still will not download that without using a botnet tunnel or Tor at a minimum.

Note though that these credentials aren't even encrypted using some lightweight ECC to prevent others from capturing them, they're posted in cleartext. Embarassment might be part of the point.

With HN ettiquette in mind, I must make an exception: this is a case where skimming the first parts of the article would help a lot!

The public repo path is just one of four parallel paths, with the goal of getting around any barriers:

  The exfiltration component shares its design with the "Mini Shai-Hulud" mechanism from their last campaign, using four parallel channels so stolen data gets out even if individual paths are blocked.

[dead]