Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

Yeah the GitHub account looks really really legitimate. Maybe it was compromised though?


What looks legit about a gmail address and some stock art for a profile?


[Deleted per below]


You are not looking at the right profile. This is the profile that people are talking about: https://github.com/jaredallard


Oops, you're absolutely correct. Deleted (via edit) my comment above. Thanks.


Can you stay in that org after leaving Google?


whoever is in charge of removing people from the Google github org has the itchiest trigger finger in the whole exiting-the-company process tree.


No


He was just (50 minutes ago) removed from the oss fuzz repo.

I hope this also (at least temporarily until verification of 'bad/good') remove him from the org?


Plus the README.md that is just a rickroll


The 2 GMail accounts are 85% / mainly associated with XZ work, since 2021, per searching for them explicitly via Google.


The PR's two commits are signed by a key that was also used to sign previous commits belonging to that author.


Hold up, are you saying that https://github.com/jaredallard and the accounts affiliated with this XZ backdoor share a PGP key? Or something else?


No, this account made a PR and their commits were signed [1]. Take a look at their other repositories, e.g. they did AoC 2023 in Rust and published it, the commits in that repository are signed by the same key. So this is not (just) a GitHub account compromise.

I find this aspect to be an outlier, the other attacker accounts were cutouts. So this doesn't quite make sense to me.

[1] https://github.com/jamespfennell/xz/pull/2/commits




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: