On March 29, 2024, the developer Andres Freund sent a message to the oss-security mailing list that became one of the most consequential security disclosures in open source history. He had noticed odd symptoms, ssh logins using too much CPU and valgrind errors, and traced them to their source: “The upstream xz repository and the xz tarballs have been backdoored” (https://www.openwall.com/lists/oss-security/2024/03/29/4). xz is a tiny, widely used compression library, and through it the attacker had nearly gained a hidden way into sshd on countless Linux systems.
The mechanism was extraordinarily devious. The U.S. National Vulnerability Database, recording the issue as CVE-2024-3094, describes it: “Malicious code was discovered in the upstream tarballs of xz, starting with version 5.6.0. Through a series of complex obfuscations, the liblzma build process extracts a prebuilt object file from a disguised test file existing in the source code, which is then used to modify specific functions in the liblzma code” (https://nvd.nist.gov/vuln/detail/CVE-2024-3094). The payload was hidden in test files, assembled only during the build, and aimed at the SSH server’s authentication path. NVD rated it CVSS 10.0, the maximum.
What made it a textbook supply-chain attack was not just the code but the long con behind it. CISA’s alert frames it as “a multi-year effort by a malicious threat actor to gain the trust of the package’s maintainer and inject a backdoor.” The attacker had built up a reputation as a helpful contributor over a long period before slipping in the malicious commits. CISA recommended that users “downgrade XZ Utils to an uncompromised version, such as XZ Utils 5.4.6 Stable,” and hunt for signs of compromise (https://www.cisa.gov/news-events/alerts/2024/03/29/reported-supply-chain-compromise-affecting-xz-utils-data-compression-library-cve-2024-3094).
The backdoor was caught almost by luck. Freund, an engineer who happened to be investigating a performance oddity, found it before the affected versions reached most stable Linux releases. As CISA put it, “the open nature of the wider open source ecosystem allowed a developer to spot this supply chain compromise before it could cause much harm.” It remains the starkest reminder of how much trust rides on the unpaid maintainers of small, foundational libraries, and how thoroughly that trust can be weaponized.