Just as a heads up I have been deleting 10ish shady comments asking to download zip files (reported and got confirmation from GH). It looks like they have a bot that spams only the fresh issues/PRs (probably by scanning via GH API).
Not sure how to act, but probably we have to be a bit more vigilant until this wave passes.