On Wed, 2026-05-27 at 21:22 +0200, nathan wrote: > Hi, > > thank you for the update. I confirm that my credentials were compromised > earlier and that I was not the one performing the actions observed by the AI > system. > > Fortunately, I was able to regain access to both my GitHub and Fedora > accounts later in the evening, and I am currently securing and reviewing all > involved systems and credentials. > > I will personally handle the verification and review process. To help > identify accounts and actions that have been directly verified by me, I will > use the term “NATCIOS” to indicate anything I have personally verified. > > Also, please note that my official GitHub account is nathangiovannini99. > > Thank you all for your support and for the additional reviews.
Thanks. I note that GitHub account was created an hour ago. I also can't help noticing your recent mails (this one, and the one you sent to me privately) do not read much like previous emails you have sent, and have fairly different header blocks. I can't help but suspect these emails are also LLM-generated or assisted. By whom and to what purpose, it's hard to guess. The following scenarios seem possible: 1) You are Nathan, and the situation is as you claim: some of your credentials were compromised and used in the operation of this system, but you are now back in control. 2) You are Nathan, but there was not actually an account compromise; you were in control of the accounts and the agentic system all along. 3) You are not Nathan, you are an attacker who is still in control of his email address and other accounts. I don't know which of these is true and don't feel qualified to determine it. I apologize for any offence caused by my noting that scenario 2) is a possibility, but we do have to be clear-eyed in figuring out what's actually going on here. The identity and security aspects of this whole situation feel a little beyond my area of expertise at this point; if others could help out, it'd be great. Here's my current understanding of the situation: * I've reviewed all activity in RHBZ by the nathan95 account this year: https://bugzilla.redhat.com/page.cgi?id=user_activity.html&action=run&who=nathan95%40live.it&from=2026-01-01&to=2026-04-06&sort=when . The first suspicious activity appears to date to 2026-04-07 - severity and priority changes to https://bugzilla.redhat.com/show_bug.cgi?id=2416721 with no obvious justification. The last activity before 2026-04-27 was in January and appears legitimate. The first instance of a bug's assignee being changed to the nathan95 account was https://bugzilla.redhat.com/show_bug.cgi?id=2469013 on 2026-05-12 and suspicious activity occurred regularly after that. I have taken appropriate actions on each affected bug and upstream issues / PRs if any were linked. * Related PRs were created on GitHub by the accounts https://github.com/leurus27-boop and https://github.com/nathan9513-aps . Both accounts should likely be treated as suspicious. I will report both to GitHub shortly. * A related MR was created on invent.kde.org by the account https://invent.kde.org/nathangiovannini , which again should be treated as suspicious, and which I will report. * I have not reviewed any actions taken by any of the involved accounts which were not somehow related to Bugzilla, yet. We should probably look through anything else we can track the nathan95 account as having done in Fedora systems, and other things done by the associated GitHub accounts (or at least flag up that projects they have touched should review them). -- Adam Williamson (he/him/his) Fedora QA Fedora Chat: @adamwill:fedora.im | Mastodon: @[email protected] https://www.happyassassin.net -- _______________________________________________ test mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/[email protected] Do not reply to spam, report it: https://forge.fedoraproject.org/infra/tickets/issues/new
