The XZ Utils backdoor (CVE-2024-3094) demonstrated that a state-level actor can spend 2 years socially engineering their way into a solo-maintained compression library used by nearly every Linux distribution

In March 2024, Microsoft engineer Andres Freund accidentally discovered a sophisticated backdoor in xz-utils versions 5.6.0 and 5.6.1 that would have given attackers remote root access to most Linux servers worldwide via a compromised OpenSSH authentication path. The attacker, using the pseudonym 'Jia Tan,' spent over two years (November 2021 to February 2024) building trust with the sole maintainer before injecting the backdoor. Why it matters: the backdoor was days away from shipping in stable Linux distributions, so it would have been present on hundreds of millions of servers, so attackers would have had unauthenticated remote code execution on critical infrastructure including cloud providers and government systems, so a single compromised compression library could have enabled mass surveillance or destructive cyberattacks, so the entire trust model of open source contribution was shown to be fundamentally exploitable by patient adversaries. The structural root cause is that xz-utils, a foundational component in virtually every Linux distribution's boot and SSH chain, was maintained by a single burned-out volunteer (Lasse Collin) who gratefully accepted help from the only person offering it, and no distribution or corporation sponsoring Linux invested in verifying the identity or intentions of new maintainers of this critical dependency.