If you run any server — cloud, VPS, even a Raspberry Pi at home — this affects you. Directly.

I just watched a video that genuinely unsettled me. Not in a doomscrolling news way — in a we narrowly avoided a catastrophic cyberattack and almost nobody noticed way.

So I needed to share it. Because this story matters.

What happened

In early 2024, someone (we still dont know who) managed to inject a backdoor into XZ Utils — a compression tool so fundamental that its in virtually every Linux system in the world. Were talking servers, cloud infrastructure, containers, embedded devices. If it runs Linux, it probably has XZ.

The backdoor targeted OpenSSH — the primary way we remotely access Linux servers. With the right private key, an attacker could execute arbitrary code as root on any affected system.

The CVSS score? 10.0. The maximum. Theres literally nothing worse.

Heres the scary part: the compromised version was already rolling out to major Linux distributions. Fedora. Debian. Arch. Kali. It was in development and beta builds for days. If it had hit stable releases, hundreds of millions of servers worldwide would have been vulnerable.

It was discovered just days before production deployment.

How it happened

This wasnt some script kiddie finding an exploit. This was a three-year operation.

Someone going by Jia Tan slowly infiltrated the XZ project. They used sock puppets (fake community accounts like Jigar Kumar and misoeater91) to pressure the original maintainer to step down. Eventually, Jia Tan became co-maintainer — and introduced the backdoor in versions 5.6.0 and 5.6.1.

The code was sophisticated. Obfuscated. Multi-stage. The malicious payload was hidden in compressed test files that only got extracted during the build process. The modified build script only ran on x86_64 Linux with glibc. It wasn't in the git repository — only in the release tarballs.

This was a supply chain attack at its finest. Not hacking a system. Becoming the system.

Who saved us?

A Microsoft developer named Andres Freund was debugging performance issues in Debian Sid when he noticed something strange: SSH connections were using unexpectedly high CPU, and Valgrind (a memory debugging tool) was throwing errors.

He dug deeper. Found the backdoor. Reported it.

One person. Not a security team. Not a government agency. One developer noticing something off.

That's what saved the internet. We can call ourselves lucky, right?

Why this matters

Alex Stamos (former CSO at Facebook) said it best: This could have been the most widespread and effective backdoor ever planted in any software product.

If undetected, it would have given attackers a master key to hundreds of millions of computers running SSH. Cloud servers. Government systems. Everything.

Again, we got lucky!

Andres Freund only found it because he was debugging something unrelated. The backdoor was incredibly sophisticated. Most people wouldt have noticed. Security teams at major companies didnt catch it.

The bigger picture

This incident sparked a lot of uncomfortable conversations about open source security:

• Critical infrastructure depends on unpaid volunteers
• A single maintainer can be socially engineered over years
• The attack targeted the build pipeline, not just source code
• CISA and OpenSSF warned: this may not be isolated

Since then, similar takeover attempts have been detected in other open source projects.

The software world runs on trust. Most of the time, that trust is well-placed. But every now and then, someone abuses it in ways that are almost impossible to detect.

What I keep thinking about

Three years. Thats how long this operation ran. Patient. Calculated. Building trust before making a move.

We think about security in terms of firewalls, encryption, patches. But the hardest attack vector to defend against is the one where the attacker becomes the defender.

I don't have a neat conclusion here. Just a story that I think more people should know.

P.S. If you want to go deeper, Veritasium just released a video on this. Its brilliant. Heres the link: https://youtu.be/aoag03mSuXQ

Stay curious.