This time the infections weren’t via GitHub.io, raw.githubusercontent.com, or github.com/<user>/<repository>/raw/ URLs. The new trick involved a third-party service called RawGit that provides a CDN for GitHub files.
This is the script that we found injected into .js and theme files on infected Drupal and WordPress sites.
Some of the infections were clearly buggy.
Source: Scuri check