A state intelligence operation spent two years building trust in an open-source project. Making real contributions. Being helpful. Then they planted a backdoor to every Linux server on the internet.
It was caught because one engineer noticed SSH was 500 milliseconds too slow.
Three lessons that keep me up at night:
Trust is the attack surface. Jia Tan didn't hack anything. They socially engineered their way to maintainer status by being genuinely helpful for two years.
Critical infrastructure depends on unpaid volunteers. XZ Utils — on every Linux machine on Earth — was maintained by one person for 13 years. When he burned out, the "help" that arrived was a spy.
We were 33 days from catastrophe. The backdoor was in Fedora beta. Fedora stable was weeks from shipping. If one curious engineer hadn't been benchmarking that day, we might never have known.
The invisible infrastructure of the internet is built by volunteers. Adversaries know exactly where to push.
Full story on CodeLore: https://www.youtube.com/watch?v=A2uL83tfHa4
Top comments (0)