No, this account made a PR and their commits were signed [1]. Take a look at their other repositories, e.g. they did AoC 2023 in Rust and published it, the commits in that repository are signed by the same key. So this is not (just) a GitHub account compromise.
I find this aspect to be an outlier, the other attacker accounts were cutouts. So this doesn't quite make sense to me.
I find this aspect to be an outlier, the other attacker accounts were cutouts. So this doesn't quite make sense to me.
[1] https://github.com/jamespfennell/xz/pull/2/commits