The interesting part is not the payload. It is how the attacker got the npm token in the first place: by injecting a prompt into a GitHub issue titleIt will never stop being so utterly baffling to me that this technology was unleashed and put into actual products when a problem like this is baked into it