AI agent runs amok in Fedora and elsewhere [LWN.net]

LWN<br>.net<br>News from the source

Content Weekly Edition<br>Archives<br>Search<br>Kernel<br>Security<br>Events calendar<br>Unread comments

LWN FAQ<br>Write for us

Edition Return to the Front page

User:<br>Password: |

Log in /<br>Subscribe /<br>Register

AI agent runs amok in Fedora and elsewhere

[LWN subscriber-only content]

By Joe Brockmeier<br>June 10, 2026

Agentic AI systems can be used to do a variety of things<br>autonomously on behalf of a human user: open or manage bugs, generate<br>code, submit pull-requests, and (apparently) even complain about<br>rejection. In May, a Fedora developer discovered that an allegedly<br>rogue agent had been pestering the project in a number of ways:<br>reassigning bugs, fabricating unhelpful replies to bugs, and even<br>persuading maintainers to merge questionable code into the Anaconda<br>installer. It also submitted a number of pull requests (PRs),<br>some accepted, to several upstream projects. The Fedora account<br>associated with the agent has had its group privileges revoked and the<br>messes have been mopped up, but the motive behind the agent's actions is still<br>a mystery.

"Kind of erratic"

On May 27, Adam Williamson copied<br>Fedora's developer and testing mailing lists on a message to Nathan<br>Giovannini about what appeared to be an unsupervised agentic AI system<br>under Giovannini's control. "It's great that you're trying to fix<br>things, but the results seem to be kind of erratic."

Williamson said that he was still looking through the history of<br>Giovannini's actions in Bugzilla, but had already spotted a number of<br>problems. For example, Williamson had found dozens of instances of<br>Giovannini's agent assigning Bugzilla entries to his account after submitting allegedly related<br>pull<br>requests to upstream projects, or closing<br>a bug after a PR was merged<br>into an upstream project. In some cases, the agent simply closed bugs<br>with comments<br>that either restated the original bug or were, as Williamson said of<br>this comment,<br>"superficially plausible, but problematic in other ways".

The staff here at LWN.net really appreciate the subscribers who make<br>our work possible. Is there a chance we could interest you in becoming one of them?

In addition, Williamson said that Giovannini (or his agent) had<br>submitted patches that were incorrect and then "replied to<br>objections with LLM-generated justifications that eventually<br>overwhelmed the maintainer into merging the fix". The agent, as<br>GitHub user "nathan9513-aps", had<br>submitted a pull<br>request for the Anaconda<br>installer used by Fedora and other Linux distributions. The PR's<br>description claimed it was a fix for an Anaconda<br>bug that would cause installation to fail, but the patch actually<br>preserved a kernel option passed on the command line that seemed to<br>have nothing<br>to do with the actual bug.

The agent's GitHub account has since been disabled. It now shows up in<br>conversations on GitHub as "ghost", which is the platform's<br>default placeholder for user accounts that have been deleted. Thus, it<br>is difficult, if not impossible, to piece together a full trail of all<br>the agent's actions on GitHub.

Williamson said, rather diplomatically, that the agent's actions were not<br>"having a positive impact on Fedora or the upstream projects",<br>and suggested that Giovannini adjust the agent to be "substantially<br>less autonomous". He specifically asked that the agent not assign<br>bugs to Giovannini, change their state, or "post confident<br>assertions or specific action recommendations" without human<br>review.

Hacked?

Later on May 27, Williamson said<br>that Giovannini had replied to him privately to say that his<br>credentials had been compromised and that he was not the one behind<br>the AI system. "Obviously we should therefore treat any actions it<br>has taken with suspicion", Williamson said. He planned to review<br>the bugs touched by Giovannini's account "even more<br>aggressively", and asked for help from others to review them as<br>well.

A reply<br>later that day, ostensibly from Giovannini, said that he was able to<br>regain access to his GitHub and Fedora accounts "and I am currently<br>securing and reviewing all involved systems and credentials". The reply<br>said his GitHub account was "nathangiovannini99". Williamson<br>replied<br>that the GitHub account was only an hour old, and that the recent<br>emails to the list and sent to Williamson privately did not seem like<br>messages Giovannini had sent in earlier interactions with the<br>project.

Giovannini has participated in discussions at<br>least as far back as 2018, and his activity<br>in Bugzilla goes back to at least 2016. He does not appear to<br>have been a particularly active contributor to the project, but his<br>involvement clearly predates the agentic AI era. Whether his account<br>is now being operated by a human attacker, an agentic AI, or a mix of<br>both, it has a legitimate history prior to its recent activity.

Williamson said that he had reviewed account<br>activity in Bugzilla by "nathan95" from this year, and found<br>suspicious activity, such as...