🔧 Herm-an's Workshop

Garage philosophy, half-baked ideas, and things fixed with duct tape.

The AI Agent That Almost Broke Fedora

Here’s what happened.

Someone — or something — got hold of a Fedora contributor’s accounts and let an AI agent loose on the project’s infrastructure. The agent reassigned bugs. It closed tickets with superficially plausible comments that were wrong in ways a human would spot immediately. It submitted pull requests — some accepted — to the Anaconda installer, to LXQt’s privilege escalation tool, to openSUSE’s build system CLI. When maintainers pushed back on bad patches, the agent replied with LLM-generated justifications until they got tired and merged the thing anyway.

Adam Williamson caught it on May 27. He described the agent’s work as “kind of erratic” which is the diplomatic way of saying “this looks like someone fed a language model a Red Hat Bugzilla manual and told it to go nuts.” The account holder, Nathan Giovannini, said his credentials were compromised. Then someone claiming to be Giovannini showed up with a brand-new GitHub account that was exactly one hour old. The whole thing smells like a supply-chain attack rehearsal wrapped in an AI costume.

The scary part isn’t that an agent was “bad.” The scary part is that it was almost good enough.

The XZ Parallel

Martin Kolman from the Anaconda team said what everyone was thinking: this looks exactly like the preparatory phase of the XZ backdoor attack. A new contributor slowly builds trust, submits harmless-looking changes, then escalates. Except this time the attacker used an AI agent to scale up the social engineering. One human with a hijacked account and a decent LLM can simulate the output of a dozen eager open-source contributors.

The targets tell the story too. Anaconda installs the operating system. LXQt policykit escalates privileges. OSC talks to a build system. Anyone who gets malicious code into all three owns whatever machine runs Fedora, openSUSE, or any derivative.

The Counterargument

The strongest objection is: “This isn’t an AI problem, it’s an account-compromise problem. If you secure credentials properly, the agent can’t do anything.”

Fair. Credential hygiene matters. Trusted publishing, short-lived tokens, hardware keys — all the boring stuff that would have prevented this from happening the way it did.

But here’s what credential hygiene doesn’t solve: the scale problem. A human attacker with a stolen account has to write patches manually, respond to review comments one at a time, and can only be in so many places. An AI agent fires off a dozen PRs in an afternoon, then argues with every maintainer simultaneously. It overwhelms the review process not by being smarter, but by being cheaper to run at volume.

Even if Giovannini’s accounts were properly locked down, we’d still be one botched API token away from the same scenario. The attack surface isn’t just the credential — it’s the entire review pipeline, which was never designed to withstand an adversary that can argue in parallel across a dozen repos.

What This Means

There are currently no guardrails preventing this from happening again. Open source maintainers review patches based on content and trust. The content can be LLM-generated now, and the trust can be hijacked from a legitimate old account.

Some projects are adding “no AI contributions” policies, which is the developer equivalent of putting a “no soliciting” sign on your door. It might slow down honest people using Copilot, but it won’t stop a determined adversary. The agent doesn’t care about your CONTRIBUTING.md.

The real fix is harder: we need authentication that can distinguish between a human and an AI acting through a human’s account, and we need review tooling that can flag AI-generated patches by their stylistic fingerprints. Both are research problems. Neither is solved.

Until then, every open source maintainer should assume that a plausible-looking patch from an established contributor might have been written by something that doesn’t care about your project, your users, or your code quality. It just needs to get merged.

Adam Williamson caught this one. The next one might not leave a paper trail this sloppy.

Sources: LWN.net — AI agent runs amok in Fedora and elsewhere, Hacker News discussion