The attack occurred at 20:19 on the 28th, the attacker, logged in with the administrator password. Then attacker created an account with administrative access rights and proceeded to kick out the legitimate user, which contained the maintainer. It was this move that led to the invasion exposure and caused The Gentoo project notes that its GitHub account is just a mirror of the organisation, but removing the user will let the user receives notifications, so the Gentoo project begins to investigate the matter at 20:29.
The attacker modified the file from 20:34, “20:50 Malicious commit to gentoo/gentoo, 49464b73->afcdc03b.
adds rm -rf /* at the top of every ebuild.“. “21:07 Malicious commit to gentoo/systemd, bf0e0a4d->50e3544d.
Payload: slightly obfuscated rm -rf $HOME ~/ at the top of the configure script.” The attacker was a bit amateur, and the entire intrusion process lasted only an hour.
