Many tutorials don't point directly to the GitHub script. Instead, they tell you to download a office_activator.zip from MediaFire or a YouTube link. Inside that zip is a .bat file that looks like the GitHub script but actually runs hidden malware before launching the real activator.
However, because the Ohook method exploits a legitimate licensing hook meant for volume license customers, completely patching it without breaking legitimate corporate deployments is difficult. As a result, Microsoft relies on to detect and quarantine the activator scripts. That is why you will constantly see warnings like "Trojan:Win32/Wacatac.H!ml" or "HackTool:Win32/AutoKMS." github microsoft office activator cmd