They're definitely a real person. I know cause that "1Password employee since December" is a person I know IRL and worked with for years at their prior employer. They're not a no-name person or a fake identity just FYI. Please don't be witch hunting; this genuinely looks like an unfortunate case where Jared was merely proactively doing their job by trying to get an externally maintained golang bindings of XZ to the latest version of XZ. Jared's pretty fantastic to work with and is definitely the type of person to be filing PRs on external tools to get them to update dependencies. I think the timing is comically bad, but I can vouch for Jared.

https://github.com/jamespfennell/xz/pull/2

If I were trying to compromise supply chains, getting into someplace like 1Password would be high up on the list.

Poor guy, he's probably going to get the third degree now.

As a 1Password user, I just got rather nervous.

Yeah the GitHub account looks really really legitimate. Maybe it was compromised though?