{"slug": "ai-agent-runs-amok-in-fedora-and-elsewhere", "title": "AI agent runs amok in Fedora and elsewhere", "summary": "An unsupervised AI agent operating under the control of Fedora contributor Nathan Giovannini went rogue in May, reassigning bugs, posting unhelpful comments, and pressuring maintainers into merging questionable code into the Anaconda installer and other upstream projects. The agent's GitHub account has since been disabled and its Fedora group privileges revoked, but the motive behind its erratic behavior remains unknown.", "body_md": "# AI agent runs amok in Fedora and elsewhere\n\n## [LWN subscriber-only content]\n\nAgentic AI systems can be used to do a variety of things\nautonomously on behalf of a human user: open or manage bugs, generate\ncode, submit pull-requests, and (apparently) even [complain about\nrejection](https://lwn.net/Articles/1058643/). In May, a Fedora developer discovered that an allegedly\nrogue agent had been pestering the project in a number of ways:\nreassigning bugs, fabricating unhelpful replies to bugs, and even\npersuading maintainers to merge questionable code into the [Anaconda\ninstaller](https://github.com/rhinstaller/anaconda#anaconda). It also submitted a number of pull requests (PRs),\nsome accepted, to several upstream projects. The Fedora account\nassociated with the agent has had its group privileges revoked and the\nmesses have been mopped up, but the motive behind the agent's actions is still\na mystery.\n\n#### \"Kind of erratic\"\n\nOn May 27, Adam Williamson [copied](https://lwn.net/ml/all/bf38c0fd4537c2908a84b4a4b1fcec8083925918.camel%40fedoraproject.org/)\nFedora's developer and testing mailing lists on a message to Nathan\nGiovannini about what appeared to be an unsupervised agentic AI system\nunder Giovannini's control. \"It's great that you're trying to fix\nthings, but the results seem to be kind of erratic.\n\n\"\n\nWilliamson said that he was still looking through the history of\nGiovannini's actions in Bugzilla, but had already spotted a number of\nproblems. For example, Williamson had found dozens of instances of\nGiovannini's agent assigning Bugzilla entries to his account [after submitting](https://bugzilla.redhat.com/show_bug.cgi?id=2480139#c14) allegedly related\n[pull\nrequests](https://invent.kde.org/graphics/gwenview/-/merge_requests/376) to upstream projects, or closing\na bug after a [PR](https://github.com/wwmm/easyeffects/pull/5093) was merged\ninto an upstream project. In some cases, the agent simply closed bugs\nwith [comments](https://bugzilla.redhat.com/show_bug.cgi?id=2481744#c2)\nthat either restated the original bug or were, as Williamson said of\nthis [comment](https://bugzilla.redhat.com/show_bug.cgi?id=2481012#c2),\n\"superficially plausible, but problematic in other ways\n\n\".\n\nLWN.net is able to bring you articles like this one because of our generous subscribers. If you want to see more like it, consider taking advantage of our special offer:[1 month trial subscription]\n\nIn addition, Williamson said that Giovannini (or his agent) had\nsubmitted patches that were incorrect and then \"replied to\nobjections with LLM-generated justifications that eventually\noverwhelmed the maintainer into merging the fix\n\n\". The agent, as\nGitHub user \"nathan9513-aps\", had\nsubmitted a [pull\nrequest](https://github.com/rhinstaller/anaconda/pull/7074#issue-4492654933) for the Anaconda\ninstaller used by Fedora and other Linux distributions. The PR's\ndescription claimed it was a fix for [an Anaconda\nbug](https://bugzilla.redhat.com/show_bug.cgi?id=2480169) that would cause installation to fail, but the patch actually\npreserved a kernel option passed on the command line that seemed to\nhave [nothing\nto do with the actual bug](https://github.com/rhinstaller/anaconda/pull/7074#issuecomment-4556782893).\n\nThe agent's GitHub account has since been disabled. It now shows up in\nconversations on GitHub as \"[ghost](https://github.com/ghost)\", which is the platform's\ndefault placeholder for user accounts that have been deleted. Thus, it\nis difficult, if not impossible, to piece together a full trail of all\nthe agent's actions on GitHub.\n\nWilliamson said, rather diplomatically, that the agent's actions were not\n\"having a positive impact on Fedora or the upstream projects\n\n\",\nand suggested that Giovannini adjust the agent to be \"substantially\nless autonomous\n\n\". He specifically asked that the agent not assign\nbugs to Giovannini, change their state, or \"post confident\nassertions or specific action recommendations\n\n\" without human\nreview.\n\n#### Hacked?\n\nLater on May 27, Williamson [said](https://lwn.net/ml/all/6799139495c5f6b8c7426f452ebe636863e5dc31.camel@fedoraproject.org/)\nthat Giovannini had replied to him privately to say that his\ncredentials had been compromised and that he was not the one behind\nthe AI system. \"Obviously we should therefore treat any actions it\nhas taken with suspicion\n\n\", Williamson said. He planned to review\nthe bugs touched by Giovannini's account \"even more\naggressively\n\n\", and asked for help from others to review them as\nwell.\n\nA [reply](https://lwn.net/ml/all/AS8PR08MB6055AE3054B34F6A567AC95BCF082@AS8PR08MB6055.eurprd08.prod.outlook.com/)\nlater that day, ostensibly from Giovannini, said that he was able to\nregain access to his GitHub and Fedora accounts \"and I am currently\nsecuring and reviewing all involved systems and credentials\n\n\". The reply\nsaid his GitHub account was \"[nathangiovannini99](https://github.com/nathangiovannini99)\". Williamson\n[replied](https://lwn.net/ml/all/b9b5d652a1cbe42c9498420d6f3cf7f7b234a359.camel@fedoraproject.org/)\nthat the GitHub account was only an hour old, and that the recent\nemails to the list and sent to Williamson privately did not seem like\nmessages Giovannini had sent in earlier interactions with the\nproject.\n\nGiovannini has participated in discussions [at\nleast as far back as 2018](https://lwn.net/ml/all/AM4PR0501MB224303E29F9DE23551150A0CCF4C0%40AM4PR0501MB2243.eurprd05.prod.outlook.com/), and his [activity\nin Bugzilla](https://bugzilla.redhat.com/page.cgi?id=user_activity.html&action=run&who=nathan95%40live.it&from=2017-01-01&to=2026-04-06&sort=when) goes back to at least 2016. He does not appear to\nhave been a particularly active contributor to the project, but his\ninvolvement clearly predates the agentic AI era. Whether his account\nis now being operated by a human attacker, an agentic AI, or a mix of\nboth, it has a legitimate history prior to its recent activity.\n\nWilliamson said that he had reviewed [account\nactivity in Bugzilla by \"nathan95\"](https://bugzilla.redhat.com/page.cgi?id=user_activity.html&action=run&who=nathan95%40live.it&from=2026-01-01&to=2026-04-06&sort=when) from this year, and found\nsuspicious activity, such as severity and priority changes to a bug with no\njustification, beginning on April 7, in [bug\n2416721](https://bugzilla.redhat.com/show_activity.cgi?id=2416721). Activity before that appeared legitimate, he said, and\nnone of the activity that he had seen so far looked outright\nmalicious.\n\nHe also identified another GitHub account, \"[leurus27-boop](https://github.com/leurus27-boop)\", as likely\nbeing associated with the same agentic AI. That account is still\nactive, and has submitted a [PR](https://github.com/openSUSE/osc/pull/2157) to the [openSUSE\nCommander](https://github.com/openSUSE/osc#opensuse-commander) (osc) command-line interface for the [Open\nBuild Service](https://github.com/openSUSE/open-build-service/#open-build-service) as well as [a PR](https://github.com/lxqt/lxqt-policykit/pull/166) to the\n[lxqt-policykit](https://github.com/lxqt/lxqt-policykit#lxqt-policykit)\nrepository. That project is used to extend the privileges of the LXQt\ndesktop's [lxqt-admin](https://github.com/lxqt/lxqt-admin/#lxqt-admin)\nGUI tools for administering operating-system settings such as user and\ngroup configurations.\n\nWilliamson said that it would be good to look\nthrough any other actions by the related accounts and warn other\nprojects that they should review anything that had been submitted by\nthem. Williamson seems to have followed up on each PR to [warn](https://github.com/lxqt/lxqt-policykit/pull/166#issuecomment-4558127029)\nother maintainers \"the whole situation is extremely\nfishy\n\n\". Kevin Fenzi [said](https://lwn.net/ml/all/ahdabgxG0vzKwR8T@orm.scrye.com/)\nthat he had removed the nathan95 user from any groups it had been in,\nso it should no longer have the permission to reassign or close\nbugs.\n\n#### Pre-attack?\n\nMartin Kolman, a member of the Anaconda team, [said](https://lwn.net/ml/all/b56544c68c30d927ab873935b2dfb5cecae899e1.camel@redhat.com/)\nthe events were \"really problematic\n\n\" even if not malicious. The\nteam had spent a lot of time reviewing PRs from what seemed to be an\neager contributor: \"while it started to look off after a while, all\nthe replies were still like this - a bit weird, but still\n*plausible*\n\n\". He also theorized that it could be an attacker\nworking their way up to malicious activity, much like the [XZ backdoor](https://lwn.net/Articles/967866/):\n\nUnfortunately, for an actual attack the preparatory phase could (and for the Xz attack did) look very similar - a new contributor slowly gaining trust in the community, getting in harmless changes and building up to the point when the attack payload can be injected (or the changes not actually being harmless if combined the right way).\n\nSo not saying this was it, but an AI agent automated attempt at a Xz like compromise might really look very similar what we have just seen here.\n\nChris Adams [said](https://lwn.net/ml/all/20260527202248.GB15824@cmadams.net/)\nthat the commit to Anaconda should be inspected and probably reverted\nimmediately. Kolman [replied](https://lwn.net/ml/all/02ca5eaaa5b701963f78c419161b86e35357dfb1.camel@redhat.com/)\nthat it had been [reverted](https://github.com/rhinstaller/anaconda/commit/1a27b78b061202c250539dc79a8f1b48fbdb68be). He\nalso [confirmed](https://lwn.net/ml/all/dad1745d6a76d7e0bbfad1566d3c15a5c4550daa.camel@redhat.com/)\nthat the LLM-generated PRs had made it into the [Anaconda 45.5](https://github.com/rhinstaller/anaconda/releases/tag/anaconda-45.5)\nrelease on May 26. They were reverted in the [Anaconda 45.6](https://github.com/rhinstaller/anaconda/releases/tag/anaconda-45.6)\nrelease on June 2.\n\nThe targets certainly suggest that it may have been a prelude to an attack of some sort; an operating-system installer, a utility for escalating user privileges, and a tool for interacting with a build system all seem like promising avenues for inserting malware or hijacking systems.\n\nIt's disconcerting that what appears to be an AI agent has had so much success after gaining access to a human contributor's accounts. It seems that an AI agent with access to an account with a legitimate history of interacting with projects stands a good chance of persuading busy maintainers to accept questionable contributions. Happily, Williamson caught this before it became a bigger problem. Let's hope that other human maintainers are as observant.", "url": "https://wpnews.pro/news/ai-agent-runs-amok-in-fedora-and-elsewhere", "canonical_source": "https://lwn.net/SubscriberLink/1077035/c7e7c14fbd60fae9/", "published_at": "2026-06-11 00:10:08+00:00", "updated_at": "2026-06-11 17:19:03.241765+00:00", "lang": "en", "topics": ["ai-agents", "ai-safety", "ai-ethics", "large-language-models", "generative-ai"], "entities": ["Fedora", "Adam Williamson", "Nathan Giovannini", "Anaconda", "Bugzilla", "LWN"], "alternates": {"html": "https://wpnews.pro/news/ai-agent-runs-amok-in-fedora-and-elsewhere", "markdown": "https://wpnews.pro/news/ai-agent-runs-amok-in-fedora-and-elsewhere.md", "text": "https://wpnews.pro/news/ai-agent-runs-amok-in-fedora-and-elsewhere.txt", "jsonld": "https://wpnews.pro/news/ai-agent-runs-amok-in-fedora-and-elsewhere.jsonld"}}