His PGP key got stolen, so someone else could have been submitting code as him.

Hopefully he didn't also lose any SSH keys with push rights to the repo.

except if you check the bitcoin core repo, all the PRs have extensive code reviews done before they're merged. the chance of a supply chain attack (eg. node-ipc) is low.

Are we sure that the code review process hasn’t been compromised if one of the core developers’ key has been?

It seems reasonable that some due diligence in this area be done in light of this discovery.

he doesnt have those keys, and never had. His fellow devs dont trust him too much.

And we know this how?