@julijane I'm not sure if I understand the negative implications of what they have done. can you help me?
I'm aware that sharing private keys with anybody is generally a bad idea.
what could / would a bad actor do with their key? provide custom DNS entries for localhost.direct with a "trusted" certificate and then trick people into downloading malicious content (because it shows a valid certificate)?