Supply Chain Attackscritical

XZ Utils Backdoor: Two-Year Social Engineering of Open Source Maintainer

An attacker spent two years patiently building trust with an overworked open source maintainer, eventually being granted commit access and inserting a sophisticated backdoor into XZ Utils — present in nearly every Linux distribution.

XZ Utils / Linux Ecosystem·2024·2 min read

Attack Chain

XZ Utils maintainer targeted

Attacker builds trust over 2 years

Malicious commits merged

Backdoor in SSH daemon

Discovered before widespread deployment

1
XZ Utils maintainer targeted
2
Attacker builds trust over 2 years
3
Malicious commits merged
4
Backdoor in SSH daemon
5
Discovered before widespread deployment

Background

XZ Utils is a data compression library present in virtually every Linux distribution. Its maintainer, Lasse Collin, maintained it largely alone for years. In 2022, a GitHub user named "Jia Tan" began contributing high-quality patches. Over two years, Jia Tan gained commit access and eventually became effectively a co-maintainer.

The Attack

Jia Tan's long-term social engineering included: submitting genuine, valuable code contributions over two years; applying social pressure (with help from sockpuppet accounts) suggesting Collin's maintenance was insufficient; gaining a formal maintainer role; then inserting a sophisticated backdoor into XZ Utils 5.6.0. The backdoor targeted OpenSSH's systemd-integrated version on systemd-based Linux systems, modifying the RSA key authentication process to allow remote code execution using a hidden private key. It was found only because Microsoft developer Andres Freund noticed slightly elevated CPU usage in SSH connections and investigated.

Response

Freund reported the backdoor on March 29, 2024, just days after the affected version began rolling out to Linux distributions. Most distributions had not yet deployed 5.6.0 to stable channels. Affected distributions rolled back to 5.4.6. The open source security community launched a massive investigation. Jia Tan's identity remains unknown.

Outcome

The backdoor was caught extraordinarily early — largely by chance — before it reached stable Linux releases at scale. If deployed, it would have given its creators a master key to log in to a significant fraction of the world's Linux servers. The operation demonstrated that patient, multi-year social engineering of open source maintainers is a viable nation-state strategy.

Key Takeaways

Critical open source projects must have multiple maintainers and require review of all commits regardless of contributor reputation
The burnout of open source maintainers creates social engineering opportunities — support maintainers of critical infrastructure
Sockpuppet pressure campaigns accelerating trust in open source communities are a documented attack technique
Even tiny performance anomalies deserve investigation — the XZ backdoor was found through 500ms of extra SSH latency

How to Prevent This

All guides

intermediate

Vet open source package maintainer changes before accepting dependency updates

The EventStream npm backdoor was introduced after a malicious actor successfully requested — and received — maintainer rights to a popular package from its overworked original author. The XZ Utils backdoor took two years of patient contribution before the attacker achieved the commit access needed. Review who maintains the packages you depend on. Monitor for ownership changes in critical dependencies (Snyk, Socket.dev, and Deps.dev track these). Be especially cautious about packages that recently changed maintainers or had a sudden increase in contributions. The XZ Utils attack involved manufactured community pressure to push the original maintainer into granting access.

See: XZ Utils BackdoorSupply Chain Security

XZ Utilsbackdooropen sourcesocial engineering maintainerSSH