Hacker News new | past | comments | ask | show | jobs | submit
lukan | on: AI agent runs amok in Fedora and elsewhere
"this is an early experiment in carrying out an Xz attack by using an agent to build trust"

Is this confirmed? There is the message from somebody claiming to be the original contributer claiming to have been hacked, but that was weird (1 h old github account) so other scenarios seem possible

a) really a agent going off the rails

b) the contributer trying to cover up that he let an agent run wild and now made more misstakes along the way

So yes, it seems like an attack to me, but it is far from clear what really happened.

marcus_holmes | parent | next
From the article:

> "So not saying this was it, but an AI agent automated attempt at a Xz like compromise might really look very similar what we have just seen here."

Without identifying and interviewing the attacker we can't confirm that's what they intended, and there's a possibility that it was just incompetence/ignorance/whatever, but we should probably treat it as an attempted attack even if it wasn't.

srdjanr | root | parent
We should treat it as attempted attack in the sense of preparing for the next one, but I don't see why we should call it "attack" without any evidence
account42 | root | parent | next
We can call it an attack because the operator is responsible for the automation no matter what it does.
marcus_holmes | root | parent
If it looks like a duck...
alexjurkiewicz | parent | next
If the real credentials owner was running the agent, why do it from a new GitHub account?

Someone's bug tracker account was hacked.

m4rtink | root | parent
So far it looks like just their previously legit Fedora account got taken over & the other accounts (GitHub) then generated on demand as needed for whatever it was trying to achieve, right ?

BTW, any idea what are the current requirements for creating a new GitHub account ? That could provide some information about if there was actually a person controlling thing thing at that moment to say provide wahtever was necessary to get the new GitHub account.