A phishing campaign is targetting SourceHut users, impersonating SourceHut founder Drew DeVault and stating that SourceHut plans to be shut down following the DDoS attacks which have been affecting service recently.
These emails are not authentic. Emails sent by SourceHut are sent from addresses at sr.ht or a subdomain of sr.ht, and signed with our public key. Drew DeVault uses drew@ddevault.org and signs his emails with his own key. Occasionally we will use @sourcehut.org as well. The best way to assess the authenticity of an email from us is by verifying our PGP signatures.
We have no plans of shutting down, and we are not soliciting Bitcoin donations. We have contacted the mail provider responsible for these emails and they have suspended the sender’s account.
Some users are concerned that their personal information has been leaked. We are not aware of any large-scale leak of user data on SourceHut. However, we remind users that, while we take some measures to prevent large-scale scraping and collection of SourceHut user email addresses, your email address can be exposed to the public in the course of your work, for example in your git logs or in the archives of mailing lists.
(05:00 UTC — Apr 27)