Recently, we came across another way to use files from GitHub repositories in malware infections.
This time the infections weren’t via GitHub.io, raw.githubusercontent.com, or github.com///raw/ URLs. The new trick involved a third-party service called RawGit that provides a CDN for GitHub files.
This is the script that we found injected into .js and theme files on infected Drupal and WordPress sites.
Some of the infections were clearly buggy.