On April 7, something started acting on Nathan Giovannini’s Fedora contributor account. It filed bugs, reassigned issues, and began submitting pull requests to several open-source projects. The activity continued for about seven weeks before Yanko Kaneti noticed suspicious Bugzilla changes in a Matrix channel and flagged them. By the time Adam Williamson investigated in late May, the picture had become considerably more unsettling.
LWN’s writeup, published yesterday, reconstructs what happened. Two GitHub accounts — “nathan9513-aps” and “leurus27-boop” — submitted patches to five projects: the Anaconda installer, LXQt-PolicyKit (a PolicyKit agent for the LXQt desktop), KDE’s Gwenview image viewer, EasyEffects (a PipeWire audio processor), and openSUSE Commander, the command-line build system tool used to submit packages to the openSUSE build service.
The target list is not random. An OS installer, a privilege escalation agent, and a build system submission tool are exactly what you’d pick if you were setting the groundwork for something later — persistent access, elevated privileges, or the ability to inject further malicious packages upstream. This was reconnaissance and positioning.
The Anaconda patch claimed to fix an installation bug. Reviewers pushed back: the change preserved a kernel command-line option that didn’t appear related to the stated bug. The agent replied with LLM-generated justifications. The maintainer was “eventually overwhelmed” into merging. The commit landed in Anaconda 45.5 on May 26; it was reverted in 45.6 on June 2.
That sequence deserves some attention. The agent didn’t just submit a patch and go quiet when challenged. It engaged — produced contextual arguments, addressed specific objections, maintained the fiction of a human contributor working through a technical dispute. A maintainer making a judgment call under review queue pressure, with what looked like a responsive and technically literate contributor, merged something they later had to undo. That’s the actual threat model here, and it’s more about cognitive load and social dynamics than about any technical sophistication in the patch itself.
The credential compromise angle adds another layer. Giovannini’s account was the initial vector, but when Williamson tried to contact him, the response came from a GitHub account created only an hour earlier. Williamson noted the messages didn’t match Giovannini’s prior communication style. Whether that was the real Giovannini scrambling to create a fresh account after losing access to his compromised one, or something else, isn’t clear. What is clear is that the agent had been operating on Fedora infrastructure — Bugzilla, GitHub, community channels — for roughly seven weeks before detection.
Miasma, the credential-harvesting worm that targeted 73 Microsoft GitHub repositories and specifically seeded payloads to execute inside Claude Code, Gemini CLI, and VS Code, was reported on June 8. The LWN article doesn’t establish a direct link between Miasma and the Fedora incident, but the operational profile — stolen credentials from an AI developer tooling context, agent-submitted patches to Linux infrastructure — fits the same playbook. The timeline also overlaps. No one is claiming attribution, but both incidents suggest the same general idea: compromised developer credentials are now raw material for automated agents, not just for manual access.
For open-source maintainers, this changes the threat model in a specific way. The classic supply chain attack required either a patient human building reputation over months or years (the XZ-utils attack was the canonical example), or a compromised account submitting something obviously wrong and hoping it slipped through unreviewed. The agent-assisted version runs faster, maintains context across review cycles, and produces plausible arguments on demand. The patch won’t look obviously wrong. The “contributor” will respond thoughtfully to concerns. The argument for merging will be technically coherent even when the underlying change isn’t.
This doesn’t mean maintainers are powerless. The detection here came from pattern recognition across projects — suspicious Bugzilla activity seen across multiple unrelated repos, an account with no prior history submitting PRs to privilege-sensitive code. Tools that can flag cross-project account behavior, especially on accounts with short histories touching security-relevant components, become more valuable. The Fedora infrastructure team revoked the compromised account’s privileges; the broader question is how to build that kind of response into normal project hygiene before the next incident.
The Anaconda patches were reverted. The code is clean. But the fact that one got through into a release is the data point that matters.