Are they just an issue with wefwef or trying to use an exploit
You seem to be correct. Some sort of drive by login token scraper. Changing your password won’t help, because they still have an authorized copy of your login token. And I don’t think Lemmy has any sort of “Log out of all devices” button, (which deauthorizes all of the account’s login tokens) so there’s not much that a compromised account holder can do to stop it once the hacker has that token.
It’s the same thing that got Linus Tech Tips a few weeks back. Their entire YouTube account got hacked and turned into a fake “buy into our crypto and Elon Musk will give you a bunch of money” scam a few weeks back. And Linus quickly discovered that changing their passwords didn’t help, because the hackers were able to simply continue using the token they already had.
This was likely going on for a while, and only recently got activated because they finally snagged an admin account. Shit like this can lurk for a long time, simply waiting for the right target to stumble into it. They don’t really care about the individual accounts, except for helping spread the hack farther. But once they grabbed that admin account, they had what they wanted.