[deathanatos]

https://gist.github.com/thesamesam/223949d5a074ebc3dce9ee78b...

The link you want from that is this https://bsky.app/profile/filippo.abyssdomain.expert/post/3ko... ; that set of tweets has the high level overview.

They in turn links to https://github.com/amlweems/xzbot which has more details.

The TL;DR is that is hooks the RSA bits to look for an RSA cert with a public key that isn't really an RSA public key; the pubkey material contains a signed & encrypted request from the attacker, signed & encrypted with an ed448 key. If the signature checks out, system() is called, i.e., RCEaaS for the attacker.