This detection rule monitors GitHub issues and wiki pages for malicious patterns indicative of code injection attempts. Specifically, it targets command substitution patterns and shell command invocations that may suggest bash injection vulnerabilities, closely based on the existing Nx vulnerability advisory (GHSA-cxm3-wv7p-598c). The rule operates on events from GitHub webhooks and looks for signs of malicious content in both issue titles and bodies, as well as in wiki page names. If any such activity is detected, it sets off a series of investigative and remedial steps, including the review of author credentials and potentially blocking the offending user. Various tests are included to validate the detection mechanism against actual and benign usage patterns.