"This second stage Malicious Script read the Private SSH Key stored in the id_rsa file located in the homedir/.ssh directory. It then uploaded the Base64 encoded key to an attacker-controlled GitHub repository"

https://www.reversinglabs.com/blog/gitgot-cybercriminals-using-github-to-store-stolen-data