This PR on Github installs a cryptominer. Github jobs rerun the script everytime someone open/closes the pull request.https://github.com/google/fonts/pull/3294/files
@neauoire Oof. Stuff like this makes me realize that attackers like this possess a creativity that I completely lack.
Signs & Codes is a private Mastodon instance built around a community of friends.