… the OP includes a screenshot of a malicious GHA workflow that exfils secrets. (In addition to altering the targetted project's JS.)