If so, chances are we will see this happen again. Adding a payload to an open source project and signing it with a new key is not rocket science.