An address close to the secondary node was reported circulating on third-party link lists. It was a phishing clone, never part of the signed Osiris pool, and it copied the login page to harvest passwords.
This is the most common attack against any Tor market. A clone differs from a genuine address by a few characters in the middle of the string, where the eye slides past a substitution. The defence is verification, not vigilance about which list you read. Copy addresses from the signed pool, check the address against the one the login captcha prints, and the clone falls apart because it cannot serve the correct address in the captcha while pointing you at the wrong one.
Nothing on the genuine pool needed fixing, because the clone lived outside it. Readers who verified were never exposed. See how phishing works and verifying a mirror.