Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

The PR's two commits are signed by a key that was also used to sign previous commits belonging to that author.


Hold up, are you saying that https://github.com/jaredallard and the accounts affiliated with this XZ backdoor share a PGP key? Or something else?


No, this account made a PR and their commits were signed [1]. Take a look at their other repositories, e.g. they did AoC 2023 in Rust and published it, the commits in that repository are signed by the same key. So this is not (just) a GitHub account compromise.

I find this aspect to be an outlier, the other attacker accounts were cutouts. So this doesn't quite make sense to me.

[1] https://github.com/jamespfennell/xz/pull/2/commits




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: