[jamesberthoty]

Does this seem like a plausible summary?

1. tj-actions-bot PAT spoofs renovatebot commit with malicious code - probably by creating a new unprotected branch, pushing to it spoofing the renovatebot user, then deleting the branch, but we really don't know.

2. Attacker uses PAT to also update release tags, pointing them to the malicious commit, again spoofing renovatebot

3. jackton1 tries to restore older branch, and therefore pushes the commit again. The original commit wouldn't be referenced as pushed in any pull requests

[thj4742]

For #3: You don’t have to actually have a commit in a pull request for it to show up in the PR “conversation”. Simply putting the PR # in the commit message like #2460 would result in it showing up like that (“commit referenced this pull request”). The original malicious commit copied a real PR merge commit with #2460, so anyone who pushed it in this repo to any branch would have their push referenced in the PR conversation list. It’s just a misleading UI in my opinion.