The XZ Backdoor: How One Hacker Nearly Broke the Internet
Quick Summary
A lone hacker nearly compromised millions of Linux servers in 2024. Here's the full story of the XZ backdoor, why it almost worked, and what it reveals about open source security.
In This Article
The Day the Internet Almost Broke
In early 2024, a Microsoft engineer named Andres Freund was doing routine performance testing when he noticed something odd: SSH logins on his Linux system were taking a fraction of a second longer than they should. Most engineers would have shrugged it off. Freund didn't. What he found underneath that tiny delay was one of the most sophisticated and nearly catastrophic supply chain attacks ever attempted — a deliberate backdoor hidden inside a compression library called XZ Utils, designed to give an unknown attacker skeleton-key access to millions of internet servers worldwide.
Related Post
This wasn't a smash-and-grab. It was a years-long, meticulously planned infiltration of the open source ecosystem. And it came within weeks of succeeding. To understand how we got here — and why it matters for everyone who uses the internet — you need to understand the extraordinary story behind Linux itself, the open source model it depends on, and the deeply human vulnerability that nearly brought it all down.
How Linux Became the Invisible Backbone of Everything
Most people think the internet runs on Windows servers or proprietary software owned by big tech companies. It doesn't. Linux — a free, open source operating system kernel first released by Finnish student Linus Torvalds in 1991 — quietly powers the world. Every one of the top 500 supercomputers on Earth runs Linux. Android, installed on over 3 billion devices, is built on a Linux kernel. The overwhelming majority of web servers, cloud infrastructure, banking systems, government networks, and even US nuclear submarines all run Linux.
This didn't happen by accident. It happened because of a philosophical stand taken by programmer Richard Stallman in the early 1980s, after he was refused access to the source code of a Xerox printer at MIT. That refusal — a consequence of the growing trend toward proprietary, closed-source software — convinced Stallman that software freedom wasn't just a preference but a moral imperative. He quit his job, founded the Free Software Foundation, and began building a free Unix-like operating system from scratch, called GNU.
Torvalds' Linux kernel was the missing piece. Combining it with GNU's utilities and tools produced a complete, free, open operating system that anyone could inspect, modify, and redistribute. The result was a radically different model of software development: instead of one company controlling the code, thousands of contributors could improve it simultaneously. Bugs get spotted. Security flaws get patched. Progress compounds.
The underlying philosophy is known as Linus's Law: with enough eyeballs, all bugs are shallow. It's a powerful idea. But it carries a dangerous hidden assumption.
The Fragility Hidden Inside Open Source
Open source software is not a single monolithic project. It's an ecosystem — an intricate web of thousands of individual tools, libraries, and utilities, each doing a specific job. Networking, compression, cryptography, logging: each function is handled by a separate piece of software, often maintained by a separate team, or sometimes a single person working in their spare time for free.
This is where the famous XKCD comic about open source infrastructure cuts deep. It shows the entire modern digital economy balanced on a single rickety block, maintained by some lone volunteer in Nebraska. It's funny because it's true — and in the case of XZ Utils, it was literally true.
XZ Utils is a data compression tool so efficient and so widely adopted that it ships as a dependency in almost every major Linux distribution. For nearly two decades, it was maintained almost entirely by one man: Lasse Collin, a Finnish developer who had been running the project since 2005, unpaid, in his free time. By the early 2020s, Collin was burning out. The pressures were accumulating — patches going unreviewed, users growing impatient, and his own mental health suffering under the weight of a project that millions of machines quietly depended on.
This is exactly the kind of vulnerability a sophisticated attacker looks for. Not a technical flaw. A human one.
The Social Engineering Attack That Almost Worked
Sometime around 2021, a user called Jia Tan appeared on the XZ mailing list. They were helpful, technically capable, and patient. Over many months, Jia submitted useful patches, offered encouragement, and gradually built trust with Collin. Meanwhile, other accounts — almost certainly sock puppets controlled by the same actor — applied social pressure on Collin, criticising his slow pace and demanding he bring in more help.
Collin, exhausted and grateful, eventually gave Jia Tan commit access to the XZ repository — the ability to push code changes directly to the project. Over the next two years, Jia Tan became the de facto maintainer. The contributions were legitimate. The persona was credible. And then, in late 2023, Jia began inserting the backdoor.
Continue Reading
Related Guides
Keep exploring this topic
The attack was surgical. XZ Utils had become a dependency of systemd, the init system that manages startup processes on most modern Linux distributions. And systemd, in many configurations, was linked to OpenSSH — the open source implementation of Secure Shell, the protocol that allows administrators to remotely log into and control servers. SSH is, as one security expert put it, the maintenance backbone of the entire internet. Having a backdoor in SSH is like having a master key to every hotel on Earth.
Jia's backdoor was hidden inside a binary test file — not in readable source code — and used a complex series of obfuscation techniques to conceal its purpose. If it had reached stable release in the major Linux distributions, an attacker with the right private key could have bypassed SSH authentication entirely on millions of servers. Spying, ransomware deployment, sabotage of critical infrastructure: all of it would have been trivially possible.
Why SSH Security Is So Critical
To appreciate the full weight of what was nearly lost, it helps to understand what SSH actually does and why it matters.
Before SSH existed, remote logins on Unix systems were transmitted in plain text. Usernames, passwords, commands — all of it could be intercepted by anyone on the same network. In 1995, a hacker did exactly that at Helsinki University of Technology, capturing thousands of credentials in a single sniffing attack. Finnish researcher Tatu Ylonen responded by designing a protocol that combined two cryptographic breakthroughs.
The first was Diffie-Hellman key exchange — a method that allows two parties to agree on a shared encryption secret without ever transmitting that secret directly, even if someone is listening to the entire conversation. The second was RSA public-key cryptography, which allows one party to verify the identity of another using mathematically linked public and private keys, defeating man-in-the-middle attacks.
Together, these two mechanisms form the foundation of SSH. They are also the foundation of HTTPS, modern VPNs, and essentially all secure communications on the internet. OpenSSH, the most widely deployed implementation, is one of the most scrutinised pieces of software in existence — precisely because a flaw in it would be catastrophic. The XZ backdoor was designed to exploit OpenSSH not by breaking its cryptography, but by subverting the software layer beneath it before the cryptography even engaged.
What the XZ Backdoor Reveals About Software Supply Chains
The XZ incident is not an isolated story about one bad actor and one unlucky maintainer. It is a warning about a systemic vulnerability at the heart of modern digital infrastructure.
Supply chain attacks — where an adversary compromises a trusted component that is then distributed to many downstream targets — are among the most dangerous vectors in cybersecurity. The 2020 SolarWinds attack, which gave suspected Russian intelligence operatives access to thousands of US government and corporate networks, worked on the same principle. So did the 2021 Codecov breach and the npm package poisoning incidents that have become a regular occurrence in the JavaScript ecosystem.
What makes the XZ attack distinctive is the patience and sophistication involved. Creating a fake persona, building genuine trust over two years, inserting a technically complex backdoor hidden in binary files rather than source code — this is not the work of an opportunistic script kiddie. The geopolitical fingerprints remain ambiguous, but the operational tradecraft bears the hallmarks of a state-sponsored actor.
The deeper lesson is structural. The open source model generates enormous value — it is arguably the most successful collaborative engineering project in human history — but it has systematically underinvested in the human layer. Thousands of critical projects are maintained by individuals who receive no financial compensation, limited institutional support, and enormous psychological pressure. That is not a sustainable model for infrastructure that underpins global finance, healthcare, and national security.
What Needs to Change — and What You Can Do
The near-miss of the XZ backdoor has galvanised serious discussion about how to harden the open source ecosystem. Several directions are worth watching.
Recommended
Top picks for this topic
reMarkable 2 Paper Tablet
The closest thing to writing on paper. Zero distractions. The best tool for thinkers and note-takers.
Logitech MX Keys S Keyboard
Smart illuminated keyboard for multi-device power users. Backlit, comfortable, works across Mac/PC/mobile.
As an affiliate, Zeebrain may earn a commission on qualifying purchases at no extra cost to you. We only recommend products we genuinely stand behind.
Free Weekly Newsletter
Enjoying this guide?
Get the best articles like this one delivered to your inbox every week. No spam.
Funding and sustainability matter enormously. Initiatives like the Open Source Security Foundation (OpenSSF), GitHub's support programmes, and the EU's Cyber Resilience Act are beginning to direct real resources toward critical open source projects. But the scale of investment still falls far short of the problem. Critical infrastructure dependencies need to be identified, funded, and supported the way any other piece of essential national infrastructure would be.
Better tooling for supply chain verification is also essential. The concept of a Software Bill of Materials (SBOM) — a machine-readable inventory of every component in a software product — is gaining traction in both government procurement and enterprise security. Making SBOMs mandatory for critical systems would at least ensure that the dependency graph is visible before disaster strikes.
For organisations running Linux infrastructure, the immediate practical steps are familiar but worth restating: keep systems patched and updated, audit your dependency tree, monitor for anomalous SSH activity, and treat maintainer changes in critical upstream packages as security events worthy of review.
And for the broader technology community, the XZ story is a reminder that open source is not self-sustaining magic. It is the product of human labour, human trust, and human vulnerability. Treating it as a free resource to be consumed without investment is how you end up weeks away from catastrophe — saved only by one engineer's curiosity about a half-second login delay.
Conclusion: A Near Miss That Should Change Everything
The XZ backdoor was discovered in time. Millions of servers were not compromised. Critical infrastructure did not fall. But the margin was razor-thin, and the conditions that made the attack possible have not gone away. Across the open source ecosystem, there are still countless Lasse Collins — talented, dedicated, exhausted volunteers carrying dependencies that the entire internet quietly rests on.
The open source model has given us Linux, the engine of modern civilisation. Now the task is to build the support structures that keep it secure — not just technically, but humanly. Because the next Jia Tan is already looking for the next weak link.
Frequently Asked Questions
What is the XZ backdoor and why was it dangerous?
The XZ backdoor was a malicious piece of code secretly inserted into XZ Utils, a widely used Linux compression library, in 2023 and early 2024. Because XZ Utils was a dependency of systemd — which, in many Linux distributions, was linked to OpenSSH — the backdoor could have allowed an attacker with the corresponding private key to bypass SSH authentication entirely. SSH is the primary method used to remotely access and manage servers, so a functioning backdoor would have granted access to potentially millions of internet-connected machines.
Who is Jia Tan and were they ever identified?
Jia Tan is the pseudonym used by the attacker who spent roughly two years building a trusted identity within the XZ Utils open source community before inserting the backdoor. As of the time of writing, the true identity of Jia Tan has not been publicly confirmed. The level of patience, technical sophistication, and operational security involved has led many researchers to conclude that the actor was likely state-sponsored, though no government has been officially attributed.
How was the XZ backdoor discovered?
The backdoor was discovered in March 2024 by Andres Freund, a Microsoft engineer who noticed that SSH logins on his Debian Linux system were taking slightly longer than expected. Following that anomaly, he traced the performance issue back to a recently updated version of XZ Utils and found the hidden malicious code. The discovery was made before the compromised version had reached stable release in the major Linux distributions, preventing widespread exploitation.
What is a supply chain attack in cybersecurity?
A supply chain attack targets not a system directly, but a trusted component that is distributed to many downstream users. Instead of trying to hack a bank's servers directly, for example, an attacker might compromise a software library the bank uses, so the malicious code is delivered automatically as a routine update. Supply chain attacks are particularly dangerous because they exploit established trust relationships and can affect thousands or millions of targets simultaneously. Notable examples include the 2020 SolarWinds attack and the XZ Utils backdoor incident.
Is Linux still safe to use after the XZ backdoor discovery?
Yes. The backdoor was discovered before it reached stable releases in major Linux distributions, meaning the vast majority of production systems were never exposed to the compromised version. Linux itself remains one of the most secure and widely audited operating systems in the world. The incident highlighted vulnerabilities in the open source supply chain, but it also demonstrated that the community's security practices — including the kind of careful performance monitoring that led to the discovery — do work. Keeping systems updated and monitoring upstream dependency changes remains best practice.
Frequently Asked Questions
The Day the Internet Almost Broke
In early 2024, a Microsoft engineer named Andres Freund was doing routine performance testing when he noticed something odd: SSH logins on his Linux system were taking a fraction of a second longer than they should. Most engineers would have shrugged it off. Freund didn't. What he found underneath that tiny delay was one of the most sophisticated and nearly catastrophic supply chain attacks ever attempted — a deliberate backdoor hidden inside a compression library called XZ Utils, designed to give an unknown attacker skeleton-key access to millions of internet servers worldwide.
This wasn't a smash-and-grab. It was a years-long, meticulously planned infiltration of the open source ecosystem. And it came within weeks of succeeding. To understand how we got here — and why it matters for everyone who uses the internet — you need to understand the extraordinary story behind Linux itself, the open source model it depends on, and the deeply human vulnerability that nearly brought it all down.
How Linux Became the Invisible Backbone of Everything
Most people think the internet runs on Windows servers or proprietary software owned by big tech companies. It doesn't. Linux — a free, open source operating system kernel first released by Finnish student Linus Torvalds in 1991 — quietly powers the world. Every one of the top 500 supercomputers on Earth runs Linux. Android, installed on over 3 billion devices, is built on a Linux kernel. The overwhelming majority of web servers, cloud infrastructure, banking systems, government networks, and even US nuclear submarines all run Linux.
This didn't happen by accident. It happened because of a philosophical stand taken by programmer Richard Stallman in the early 1980s, after he was refused access to the source code of a Xerox printer at MIT. That refusal — a consequence of the growing trend toward proprietary, closed-source software — convinced Stallman that software freedom wasn't just a preference but a moral imperative. He quit his job, founded the Free Software Foundation, and began building a free Unix-like operating system from scratch, called GNU.
Torvalds' Linux kernel was the missing piece. Combining it with GNU's utilities and tools produced a complete, free, open operating system that anyone could inspect, modify, and redistribute. The result was a radically different model of software development: instead of one company controlling the code, thousands of contributors could improve it simultaneously. Bugs get spotted. Security flaws get patched. Progress compounds.
The underlying philosophy is known as Linus's Law: with enough eyeballs, all bugs are shallow. It's a powerful idea. But it carries a dangerous hidden assumption.
The Fragility Hidden Inside Open Source
Open source software is not a single monolithic project. It's an ecosystem — an intricate web of thousands of individual tools, libraries, and utilities, each doing a specific job. Networking, compression, cryptography, logging: each function is handled by a separate piece of software, often maintained by a separate team, or sometimes a single person working in their spare time for free.
This is where the famous XKCD comic about open source infrastructure cuts deep. It shows the entire modern digital economy balanced on a single rickety block, maintained by some lone volunteer in Nebraska. It's funny because it's true — and in the case of XZ Utils, it was literally true.
XZ Utils is a data compression tool so efficient and so widely adopted that it ships as a dependency in almost every major Linux distribution. For nearly two decades, it was maintained almost entirely by one man: Lasse Collin, a Finnish developer who had been running the project since 2005, unpaid, in his free time. By the early 2020s, Collin was burning out. The pressures were accumulating — patches going unreviewed, users growing impatient, and his own mental health suffering under the weight of a project that millions of machines quietly depended on.
This is exactly the kind of vulnerability a sophisticated attacker looks for. Not a technical flaw. A human one.
The Social Engineering Attack That Almost Worked
Sometime around 2021, a user called Jia Tan appeared on the XZ mailing list. They were helpful, technically capable, and patient. Over many months, Jia submitted useful patches, offered encouragement, and gradually built trust with Collin. Meanwhile, other accounts — almost certainly sock puppets controlled by the same actor — applied social pressure on Collin, criticising his slow pace and demanding he bring in more help.
Collin, exhausted and grateful, eventually gave Jia Tan commit access to the XZ repository — the ability to push code changes directly to the project. Over the next two years, Jia Tan became the de facto maintainer. The contributions were legitimate. The persona was credible. And then, in late 2023, Jia began inserting the backdoor.
The attack was surgical. XZ Utils had become a dependency of systemd, the init system that manages startup processes on most modern Linux distributions. And systemd, in many configurations, was linked to OpenSSH — the open source implementation of Secure Shell, the protocol that allows administrators to remotely log into and control servers. SSH is, as one security expert put it, the maintenance backbone of the entire internet. Having a backdoor in SSH is like having a master key to every hotel on Earth.
Jia's backdoor was hidden inside a binary test file — not in readable source code — and used a complex series of obfuscation techniques to conceal its purpose. If it had reached stable release in the major Linux distributions, an attacker with the right private key could have bypassed SSH authentication entirely on millions of servers. Spying, ransomware deployment, sabotage of critical infrastructure: all of it would have been trivially possible.
Why SSH Security Is So Critical
To appreciate the full weight of what was nearly lost, it helps to understand what SSH actually does and why it matters.
Before SSH existed, remote logins on Unix systems were transmitted in plain text. Usernames, passwords, commands — all of it could be intercepted by anyone on the same network. In 1995, a hacker did exactly that at Helsinki University of Technology, capturing thousands of credentials in a single sniffing attack. Finnish researcher Tatu Ylonen responded by designing a protocol that combined two cryptographic breakthroughs.
The first was Diffie-Hellman key exchange — a method that allows two parties to agree on a shared encryption secret without ever transmitting that secret directly, even if someone is listening to the entire conversation. The second was RSA public-key cryptography, which allows one party to verify the identity of another using mathematically linked public and private keys, defeating man-in-the-middle attacks.
Together, these two mechanisms form the foundation of SSH. They are also the foundation of HTTPS, modern VPNs, and essentially all secure communications on the internet. OpenSSH, the most widely deployed implementation, is one of the most scrutinised pieces of software in existence — precisely because a flaw in it would be catastrophic. The XZ backdoor was designed to exploit OpenSSH not by breaking its cryptography, but by subverting the software layer beneath it before the cryptography even engaged.
What the XZ Backdoor Reveals About Software Supply Chains
The XZ incident is not an isolated story about one bad actor and one unlucky maintainer. It is a warning about a systemic vulnerability at the heart of modern digital infrastructure.
Supply chain attacks — where an adversary compromises a trusted component that is then distributed to many downstream targets — are among the most dangerous vectors in cybersecurity. The 2020 SolarWinds attack, which gave suspected Russian intelligence operatives access to thousands of US government and corporate networks, worked on the same principle. So did the 2021 Codecov breach and the npm package poisoning incidents that have become a regular occurrence in the JavaScript ecosystem.
What makes the XZ attack distinctive is the patience and sophistication involved. Creating a fake persona, building genuine trust over two years, inserting a technically complex backdoor hidden in binary files rather than source code — this is not the work of an opportunistic script kiddie. The geopolitical fingerprints remain ambiguous, but the operational tradecraft bears the hallmarks of a state-sponsored actor.
The deeper lesson is structural. The open source model generates enormous value — it is arguably the most successful collaborative engineering project in human history — but it has systematically underinvested in the human layer. Thousands of critical projects are maintained by individuals who receive no financial compensation, limited institutional support, and enormous psychological pressure. That is not a sustainable model for infrastructure that underpins global finance, healthcare, and national security.
What Needs to Change — and What You Can Do
The near-miss of the XZ backdoor has galvanised serious discussion about how to harden the open source ecosystem. Several directions are worth watching.
Funding and sustainability matter enormously. Initiatives like the Open Source Security Foundation (OpenSSF), GitHub's support programmes, and the EU's Cyber Resilience Act are beginning to direct real resources toward critical open source projects. But the scale of investment still falls far short of the problem. Critical infrastructure dependencies need to be identified, funded, and supported the way any other piece of essential national infrastructure would be.
Better tooling for supply chain verification is also essential. The concept of a Software Bill of Materials (SBOM) — a machine-readable inventory of every component in a software product — is gaining traction in both government procurement and enterprise security. Making SBOMs mandatory for critical systems would at least ensure that the dependency graph is visible before disaster strikes.
For organisations running Linux infrastructure, the immediate practical steps are familiar but worth restating: keep systems patched and updated, audit your dependency tree, monitor for anomalous SSH activity, and treat maintainer changes in critical upstream packages as security events worthy of review.
And for the broader technology community, the XZ story is a reminder that open source is not self-sustaining magic. It is the product of human labour, human trust, and human vulnerability. Treating it as a free resource to be consumed without investment is how you end up weeks away from catastrophe — saved only by one engineer's curiosity about a half-second login delay.
Conclusion: A Near Miss That Should Change Everything
The XZ backdoor was discovered in time. Millions of servers were not compromised. Critical infrastructure did not fall. But the margin was razor-thin, and the conditions that made the attack possible have not gone away. Across the open source ecosystem, there are still countless Lasse Collins — talented, dedicated, exhausted volunteers carrying dependencies that the entire internet quietly rests on.
The open source model has given us Linux, the engine of modern civilisation. Now the task is to build the support structures that keep it secure — not just technically, but humanly. Because the next Jia Tan is already looking for the next weak link.
Frequently Asked Questions
What is the XZ backdoor and why was it dangerous?
The XZ backdoor was a malicious piece of code secretly inserted into XZ Utils, a widely used Linux compression library, in 2023 and early 2024. Because XZ Utils was a dependency of systemd — which, in many Linux distributions, was linked to OpenSSH — the backdoor could have allowed an attacker with the corresponding private key to bypass SSH authentication entirely. SSH is the primary method used to remotely access and manage servers, so a functioning backdoor would have granted access to potentially millions of internet-connected machines.
Who is Jia Tan and were they ever identified?
Jia Tan is the pseudonym used by the attacker who spent roughly two years building a trusted identity within the XZ Utils open source community before inserting the backdoor. As of the time of writing, the true identity of Jia Tan has not been publicly confirmed. The level of patience, technical sophistication, and operational security involved has led many researchers to conclude that the actor was likely state-sponsored, though no government has been officially attributed.
How was the XZ backdoor discovered?
The backdoor was discovered in March 2024 by Andres Freund, a Microsoft engineer who noticed that SSH logins on his Debian Linux system were taking slightly longer than expected. Following that anomaly, he traced the performance issue back to a recently updated version of XZ Utils and found the hidden malicious code. The discovery was made before the compromised version had reached stable release in the major Linux distributions, preventing widespread exploitation.
What is a supply chain attack in cybersecurity?
A supply chain attack targets not a system directly, but a trusted component that is distributed to many downstream users. Instead of trying to hack a bank's servers directly, for example, an attacker might compromise a software library the bank uses, so the malicious code is delivered automatically as a routine update. Supply chain attacks are particularly dangerous because they exploit established trust relationships and can affect thousands or millions of targets simultaneously. Notable examples include the 2020 SolarWinds attack and the XZ Utils backdoor incident.
Is Linux still safe to use after the XZ backdoor discovery?
Yes. The backdoor was discovered before it reached stable releases in major Linux distributions, meaning the vast majority of production systems were never exposed to the compromised version. Linux itself remains one of the most secure and widely audited operating systems in the world. The incident highlighted vulnerabilities in the open source supply chain, but it also demonstrated that the community's security practices — including the kind of careful performance monitoring that led to the discovery — do work. Keeping systems updated and monitoring upstream dependency changes remains best practice.
About Zeebrain Editorial
Our editorial team is dedicated to providing clear, well-researched, and high-utility content for the modern digital landscape. We focus on accuracy, practicality, and insights that matter.
More from Science & Tech
Explore More Categories
Keep browsing by topic and build depth around the subjects you care about most.