xz-utils
Safeguard articles tagged "xz-utils" — guides, analysis, and best practices for software supply chain and application security.
17 articles
The C++ supply chain has no npm — and that's the risk
C++ has no single package registry like npm or PyPI, so vendored code hides provenance — the XZ Utils backdoor (CVE-2024-3094, CVSS 10.0) shows the cost.
Anatomy of the XZ Utils backdoor: how CVE-2024-3094 nearly compromised SSH on every major Linux distro
A CVSS 10.0 backdoor sat in xz 5.6.0 and 5.6.1 for weeks, hidden in a test file, until 0.5 seconds of extra SSH login latency gave it away.
The XZ Utils Backdoor (CVE-2024-3094) Explained: A Near-Miss Supply Chain Catastrophe
CVE-2024-3094 was a deliberately planted backdoor in xz-utils 5.6.0/5.6.1 targeting sshd. It was caught by a 500ms delay one engineer refused to ignore. Here is how the attack worked.
Lessons from the XZ Utils Backdoor: A Three-Year Social Engineering Heist
CVE-2024-3094 was a backdoor patiently planted in XZ Utils over years of social engineering, caught by an engineer chasing half a second of SSH latency. Here is the full story.
Maintainer burnout is a supply-chain risk: lessons from xz-utils
The xz-utils backdoor was made possible because a single exhausted maintainer accepted help from a patient and well-resourced stranger. Sustaining critical maintainers is now a security problem, not just a moral one.
Open Source Sustainability Is an Attack Surface Problem
Unmaintained, underfunded open source is not just a reliability risk — it is how attackers get in. The xz Utils backdoor proved that maintainer burnout is a security vulnerability with a CVE number.
XZ Utils Backdoor: One Year Retrospective
A year after the XZ Utils backdoor was caught by Andres Freund at Microsoft, what did we fix, what did we ignore, and what still gets packaged into Linux distros?
XZ Utils backdoor discovery (CVE-2024-3094)
A deep dive into CVE-2024-3094, the XZ Utils backdoor: affected versions, CVSS/EPSS context, full attack timeline, and remediation steps.
Insider Threats in Open Source Projects: Lessons from XZ Utils
The XZ Utils backdoor was a three-year social engineering operation, not a coding mistake. What the timeline shows about maintainer trust, and what you can actually monitor.
The Unpaid Labor Behind Critical Internet Infrastructure
Open source runs on unpaid maintainer labor. From xz-utils to Log4Shell to colors.js, we examine why burnout became a top supply chain security risk.
Why Maintainer Burnout Is a Security Metric, Not Just an ...
The xz Utils backdoor started with a burned-out maintainer, not a zero-day. Here's why maintainer fatigue belongs in your supply chain risk model.
Why Automated Tooling Can't Fully Replace Human Maintaine...
Automated scanners missed the XZ Utils backdoor for years. Here's why CVE scores, SAST tools, and dependency bots can't replace human maintainer judgment.