How a Spy Infiltrated XZ Utils: The 849‑Day Supply‑Chain Attack on Billions of Linux Devices

1. Background: XZ Utils ubiquity and single maintainer

XZ Utils is a compression tool used on virtually all Linux systems. It is maintained solely by Finnish developer Lasse Collin, who in 2022 publicly disclosed severe mental‑health struggles.

2. Early warning in June 2022

Collin posted on the xz‑devel mailing list asking for patience, stating that his capacity was limited and that he was near a breaking point. The plea was genuine but later became a lever for a coordinated pressure campaign.

3. Social‑engineering pressure campaign

From April 2022, several newly created accounts appeared on the mailing list. Investigative journalist Brian Krebs traced these accounts to have no footprints in any known data‑leak repositories, indicating fabricated identities. The accounts sent messages urging Collin to step down, framing the request as “help”. One message warned that the project could not progress unless the maintainer was replaced.

4. Infiltration by “Jia Tan”

GitHub user JiaT75 (Jia Tan) began contributing in October 2021 with clean bug‑fixes and test improvements, gaining Collin’s trust. By the end of 2022 he obtained commit rights and in 2023 became a co‑maintainer with signing authority. In early 2024 he introduced a malicious payload.

5. The payload (CVE‑2024‑3094)

In version 5.6.0 (released 24 Feb 2024) a backdoor was added. The code masquerades as compressed test data and activates only when built on certain Linux distributions, altering liblzma to execute arbitrary commands via systemd and sshd. The vulnerability receives a CVSS 10.0 score and enables remote code execution on any affected SSH server.

6. Discovery and rapid response

Microsoft engineer Andres Freund noticed a ~500 ms increase in SSH login time on a Debian sid machine on 29 Mar 2024. His investigation linked the slowdown to the new xz‑utils code, and he posted a detailed analysis to the oss‑security mailing list. Within hours major distributions withdrew the affected packages, averting a larger catastrophe.

7. Residual risk

As of August 2025, security firm Binarly discovered the compromised xz‑utils still present in Docker Hub Debian images, which the Debian project labeled merely as “historical artifacts” and refused to remove. The maintainer Collin remains the sole reviewer of the repository.

8. Broader implications

Harvard and Linux Foundation Census III (2024) showed that 40 % of critical non‑npm projects rely on one or two developers for >80 % of commits, making them attractive attack vectors. The OpenSSF warned that the same social‑engineering pattern could be applied to JavaScript ecosystems.

9. Recommendations

Fund critical libraries : pay maintainers salaries and benefits rather than relying on volunteers.

Enforce multi‑person code review : no single maintainer should have unchecked commit rights.

Verify identities of privileged contributors : require real‑world identity checks for anyone with signing authority.