For #3: You don’t have to actually have a commit in a pull request for it to show up in the PR “conversation”. Simply putting the PR # in the commit message like #2460 would result in it showing up like that (“commit referenced this pull request”). The original malicious commit copied a real PR merge commit with #2460, so anyone who pushed it in this repo to any branch would have their push referenced in the PR conversation list. It’s just a misleading UI in my opinion.