How One Hack Nearly Took Down The Internet

TL;DR

A state-sponsored hacker spent 2.5 years infiltrating a single volunteer-maintained Linux tool to plant a backdoor into millions of internet servers.

Key Points

• 1.Richard Stallman's 1985 Free Software Foundation and Linus Torvalds' 1991 Linux kernel together created the open-source OS now running on 3+ billion Android devices and the majority of internet servers worldwide.
• 2.Linux's security relies on "Linus's Law" — that many eyeballs catch all bugs — but the ecosystem depends on thousands of small tools often maintained by single unpaid volunteers.
• 3.Lasse Collin, a Finnish developer, maintained XZ (a widely-used lossless compression tool based on the LZMA algorithm) alone and unpaid since 2005, quietly becoming a critical dependency of OpenSSH.
• 4.OpenSSH is the dominant remote login protocol securing virtually every Linux server; a bypass of its RSA authentication would act as a master key to millions of machines.
• 5.A bad actor named "Jia Tan" spent ~2.5 years grooming Lasse Collin — first helping, then taking over as co-maintainer — before embedding a sophisticated backdoor inside XZ's binary test files.
• 6.The backdoor used three steps: hiding the payload in binary test blobs (Trojan Horse), exploiting a precise timing window in the Global Offset Table before it turned Read-Only (Goldilocks Zone), and wiping SSH logs to cover intrusion tracks (Cat Burglar).
• 7.Jia Tan raced to get compromised XZ 5.6.0 into Fedora pre-release, Debian testing, and Ubuntu pre-release before a planned RHEL 10 release would have infected critical government and hospital servers.
• 8.Microsoft engineer Andres Freund — not a security researcher — accidentally discovered the backdoor in March 2024 after noticing SSH connection slowdowns of ~400–500 milliseconds while testing Postgres on Debian.
• 9.Andres found the backdoor was self-concealing: it scanned raw memory for audit hooks, decoded binary instructions, wrapped itself in custom encryption, and erased its own SSH log entries to stay invisible.
• 10.Jia Tan is suspected to be a state-sponsored operation using sock puppet accounts to pressure Lasse; the operation involved years of coordinated effort and nearly gave attackers remote root access to millions of servers.