On Tue, Jul 07, 2026 at 01:15:04PM -0700, Joe Stringer wrote: > I suspect we may have been the initial target for this activity; we > received a test email to [email protected] prior to this email.
We also got one just prior to the 4 reports on July 4. I didn't let it through (as a moderator), but it was: > Subject: [Test] 2026-07-04 > From: xylove21 <[email protected]> > To: [email protected] > Date: Sat, 04 Jul 2026 10:12:46 +0800 > > Test 2026-07-04. Target: [email protected]. No disclosure. Looks like just the way the tool works. I don't know what the purpose of this test was, given it was sent from a non-existent address and further messages were sent regardless of it not being accepted. Maybe the tool was misconfigured. On Tue, Jul 07, 2026 at 01:15:04PM -0700, Joe Stringer wrote: > The feature discussed in the disclosure is an alpha feature that we've > been developing this cycle. We identified and fixed the reported issue > as part of development activities, so it will not be part of a stable > release. The report from xylove21 accurately identified the commit and > PR that introduced the bug, as well as the commit that fixed the bug > and corresponding PR. > > If you asked a model to read git logs to identify changes with > security impact, it would probably point to the fix commit referenced > in the original message. The combination of "fix" and "network policy" > in a commit title is likely sufficient signal. Evidently the claw was > also directed to identify which commit may have introduced the issue. > I would guess the motivation was to identify known issues which may > not have had a public disclosure, and attempt to file a CVE for the > issue to claim some credit. Given these versions are not recommended > for production and the feature is alpha, we do not see a motivation to > file a CVE. Oh, so in your case it was search for recently fixed issues. I wonder if that's also the case for the 4 other reports against other projects. I could not quickly confirm this now. Alexander
