← All essays Society

The XZ backdoor and the trust we extend to strangers

Himanshu · Feb 5, 2025 · 7 min read

In early 2024, a single engineer discovered that someone had spent two years patiently building trust inside an open-source project in order to insert a backdoor. It is one of the most sophisticated supply chain attacks ever documented. It is also a story about loneliness.

The attacker — operating under the name Jia Tan, identity still unknown — did not hack their way in. They contributed. Helpful, high-quality patches over many months. They built a reputation. They became trusted. And then, when the moment was right, they used that trust to insert malicious code so deeply embedded in a compression library that almost no one would have noticed.

The social contract of open source

Open source runs on a gift economy of attention. Maintainers are often unpaid volunteers managing projects used by millions. The attacker understood this. They also understood that the maintainer of XZ Utils was burned out, overwhelmed, and grateful for help.

What followed was almost tender in its manipulation: supportive messages, offers of assistance, gradual escalation of responsibility. The attacker played a long game, and the currency they spent was care — or something that looked exactly like it.

The vulnerability was not in the code. It was in the trust that makes open source possible at all.

What we do with this

The obvious response is suspicion: verify more, trust less, demand proof of identity from contributors. This is sensible and also corrosive, because open source is built on the assumption that strangers can collaborate in good faith toward shared ends.

I do not have a clean resolution. What I have is the observation that the attacker chose the right target: not a corporate system with security teams and protocols, but a human being who was tired and grateful for help. The exploit was social before it was technical. And there is no patch for loneliness.