Dropping the usual format (#031’s Heartbleed protocol, invoked for the fourth time in twelve years): the fortnight is XZ.

On March 29th, a Microsoft engineer named Andres Freund — investigating a HALF-SECOND SSH latency regression and some odd valgrind noise on Debian test builds — pulled a thread that unraveled the most sophisticated supply-chain attack ever documented in open source: a backdoor in xz-utils (the compression library inside essentially every Linux distribution), inserted not by compromising code but by compromising TRUST ITSELF. The multi-year mechanics, reconstructed publicly within days (#258’s replication machine, forensic edition): a persona (“Jia Tan”) arrived in 2021 as a helpful contributor to a burnt-out solo maintainer (Lasse Collin, maintaining a universal dependency UNPAID for fifteen years — the #218 Log4j economics, the #031 sermon, unhealed); sockpuppet accounts pressured Collin about slow maintenance until he shared commit rights; “Jia Tan” then spent YEARS earning release authority through legitimate work before landing the payload — hidden not in the readable source but in BINARY TEST FILES, activated only during packaged builds, targeting sshd via systemd’s libsystemd dependency chain, gated to specific distro-build environments to evade detection. It reached Debian and Fedora TESTING branches. It was WEEKS from the world’s production SSH servers.

And it was caught by one engineer’s refusal to ignore 500 milliseconds.

The file’s extractions, each older than the incident: (1) The attack vector was MAINTAINER BURNOUT — the social engineering targeted a human’s exhaustion, not a parser’s bounds (#061’s bus-factor doctrine weaponized; every underfunded critical dependency is now legibly a NATIONAL-SECURITY-grade social attack surface, and the “who pays the maintainers” debate #218 just acquired its APT chapter). (2) The detection was ANOMALY CULTURE — Freund wasn’t a security researcher hunting backdoors; he was a performance engineer who found latency AESTHETICALLY offensive (#001’s calm-tech-lead lineage: the craft’s deepest defense is people who notice small wrongness and pull threads — un-automatable, un-mandatable, cultivated only by cultures that reward the pulling). (3) The near-miss accounting must be honest: we got LUCKY — the margin was one engineer’s weekend curiosity against a multi-year state-grade operation (attribution unresolved; the patience says institution), and “distributed review catches everything” died as doctrine this fortnight — the payload PASSED review because review reads source, and the source was clean (#194’s reproducible-builds roadmap item just became the industry’s homework, with a deadline written in someone else’s persistence).

Every dependency audit this archive has preached (#079, #218) runs shallower than this attack was built. The response — maintainer-support funding surges, build-provenance tooling (sigstore, reproducibility), contributor-identity debates now live across every foundation — will be graded by whether it persists past the news cycle (#262’s metabolization pessimism, praying to be wrong).

TIL: the attack’s tell was performance overhead — the backdoor’s hook cost milliseconds, and milliseconds are legible to someone who cares. Instrument everything; BELIEVE your instruments; and fund the humans who find half a second personally insulting (#065’s invisible work: this fortnight it saved the internet).