On Wed, 2026-05-27 at 13:13 -0700, Adam Williamson wrote: > On Wed, 2026-05-27 at 13:08 -0700, Adam Williamson wrote: > > * I've reviewed all activity in RHBZ by the nathan95 account this > > year: > > https://bugzilla.redhat.com/page.cgi?id=user_activity.html&action=run&who=nathan95%40live.it&from=2026-01-01&to=2026-04-06&sort=when > > . The first suspicious activity appears to date to 2026-04-07 - > > severity and priority changes to > > https://bugzilla.redhat.com/show_bug.cgi?id=2416721 with no obvious > > justification. The last activity before 2026-04-27 was in January > > and > > appears legitimate. The first instance of a bug's assignee being > > changed to the nathan95 account was > > https://bugzilla.redhat.com/show_bug.cgi?id=2469013 on 2026-05-12 > > and > > suspicious activity occurred regularly after that. I have taken > > appropriate actions on each affected bug and upstream issues / PRs > > if > > any were linked. > > > > * Related PRs were created on GitHub by the accounts > > https://github.com/leurus27-boop and > > https://github.com/nathan9513-aps > > . Both accounts should likely be treated as suspicious. I will > > report > > both to GitHub shortly. > > > > * A related MR was created on invent.kde.org by the account > > https://invent.kde.org/nathangiovannini , which again should be > > treated > > as suspicious, and which I will report. > > > > * I have not reviewed any actions taken by any of the involved > > accounts > > which were not somehow related to Bugzilla, yet. We should probably > > look through anything else we can track the nathan95 account as > > having > > done in Fedora systems, and other things done by the associated > > GitHub > > accounts (or at least flag up that projects they have touched > > should > > review them). > > Sorry, forgot to mention, very important: nothing I found so far > looks > outright *malicious*. Indeed, and as part of the team working on the Anaconda installer I still find the whole situation really problematic:
* we spend quite a lot of time reviewing the PRs from what initially looked like a new eager contributor * while it started to look off after a while, all the replies were still like this - a bit weird, but still *plausible* (eg. no arguing or ignoring our questions - just as it turns out AI generated slop basically :P) Unfortunately, for an actual attack the preparatory phase could (and for the Xz attack did) look very similar - a new contributor slowly gaining trust in the community, getting in harmless changes and building up to the point when the attack payload can be injected (or the changes not actually being harmless if combined the right way). So not saying this was it, but an AI agent automated attempt at a Xz like compromise might really look very similar what we have just seen here. :P > -- > Adam Williamson (he/him/his) > Fedora QA > Fedora Chat: @adamwill:fedora.im | Mastodon: @[email protected] > https://www.happyassassin.net > > -- _______________________________________________ test mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/[email protected] Do not reply to spam, report it: https://forge.fedoraproject.org/infra/tickets/issues/new
