The Internet Was Weeks Away From Disaster and No One Knew

yutube ^ | 25 February 2026 | Veritasium

[ShadowAce]

How a single hack infected the world’s most important operating system.

Video is 53 minutes. Yes it's long, but it goes into all the background of what happened, plus a post-mortem and analysis.

This is about the xz compression hack several years ago. I remember hearing about it and being thankful we have unaffiliated people who can test things like this when they see an anomaly in the code/testing they are performing.

[ShadowAce]

AI slop.

None of what they say and explain in the video is false.

I remember this event. I followed it at the time. It's all true.

[Racketeer]

Thankfully we had the likes of Al Gore to insure its proficiency.

[Libloather]

Only 4.92 years left.

[E. Pluribus Unum]

Video Transcript Summary

The transcript is a detailed narrative (likely from a Veritasium video) recounting the XZ Utils backdoor incident (CVE-2024-3094), one of the most sophisticated supply-chain attacks in open-source history.

Origins and ContextThe story traces back to Richard Stallman's frustrations in the 1980s with proprietary software (e.g., Xerox printer source code refusal and NDAs), leading him to champion free software. This ethos birthed projects like Linux, created by Linus Torvalds as an open alternative to Unix. Linux now dominates servers, supercomputers, Android (billions of devices), embedded systems, defense, banking, and more. Its security relies on "Linus's Law" (many eyes make bugs shallow) and the open review of code.

However, the ecosystem depends on thousands of small, often volunteer-maintained libraries. Critical components can rest on one person's unpaid work, creating single points of failure.

The Attack: XZ Utils Backdoor

• Target: XZ Utils (liblzma), a high-performance lossless compression library used in nearly all major Linux distributions for packaging and updates.
• Maintainer burnout: Original maintainer Lasse Collin (Finland) maintained it unpaid since ~2005, facing mental health struggles and community pressure for faster updates.
• Infiltration (2021–2024): A persona "Jia Tan" (JiaT75 on GitHub, likely pseudonymous) appeared in 2021, contributing helpfully for ~2 years. Sockpuppet accounts pressured Lasse to step back. In 2023–2024, Jia Tan was handed maintainership.
• The backdoor (introduced in versions 5.6.0 and 5.6.1, Feb–Mar 2024):
  • Hidden via obfuscated "test" binary blobs (never human-reviewed) and clever build-process tricks (M4 macros, ifunc resolvers, dynamic audit hooks).
  • Targeted OpenSSH's RSA authentication via liblzma (a dependency chain).
  • Used a "Goldilocks" timing window to overwrite the Global Offset Table (GOT) entry for RSA decryption.
  • Allowed anyone with a specific Ed448 private key to bypass authentication and execute arbitrary code (RCE) remotely via SSH—essentially a master key to affected servers.
  • Extremely stealthy: custom encryption, anti-detection (garbled strings), logging suppression, safety checks to avoid crashes.
• Goal: Compromise SSH (the internet's remote access backbone) on millions of Linux servers (Fedora pre-releases, Debian/Ubuntu testing, potentially RHEL 10).

Impact could have enabled spying, ransomware, data theft, or nation-state-level disruption (e.g., taking down infrastructure).Discovery and Near-MissIn March 2024, Microsoft engineer Andres Freund noticed ~400–500 ms SSH login slowdowns (plus Valgrind memory errors) while testing Postgres on Debian unstable. He traced it to XZ updates, dug deeper, and uncovered the backdoor.

He reported it privately then publicly on oss-security mailing list (March 29, 2024).Distributions quickly reverted/removed the versions. It never reached stable production releases widely—averting catastrophe.Aftermath and Lessons

• Who was behind it? Highly patient (~2.5–3 years), resource-intensive operation points to nation-state (possible APT29/Cozy Bear/Russia per some experts, though clues like UTC+8 timestamps are inconsistent and likely misdirection). Attacker vanished post-discovery.
• Why muted mainstream coverage? Limited real-world exploitation (caught early), but experts called it potentially catastrophic.
• Broader implications:
  • Highlights risks of volunteer-maintained critical projects (burnout, underfunding).
  • Open source's transparency helped detection (contrast with closed-source, where backdoors could hide via court orders or internal secrecy).
  • Underscores supply-chain fragility: one compromised dependency can cascade.
  • Community response: audits of similar projects, calls for better maintainer support/funding.

The narrative contrasts this near-miss with a demo (hacking a cloned Veritasium site via the backdoor) to show real-world danger, while praising Andres Freund as a hero and critiquing lack of support for volunteers like Lasse Collin. It's a cautionary tale about open source's strengths and vulnerabilities in an era of advanced threats.

[Fresh Wind]

I can’t comment on the accuracy, but from a production standpoint, the video reeks of AI, like so much of the fake clickbait that is flooding YouTube recently.

[ShadowAce]

OK. I can understand that. The audio is all human, though. It’s just the animation.

[Fresh Wind]

Thank you, I will take another look.

[Excellence]

The world was saved by a rando at Microsoft.

[Harmless Teddy Bear]

Worse, it would turn off the grid.

A lot of people have every thing in their house, light, water and heat hooked up to the internet.

[Harmless Teddy Bear]

Even if it means mass suicides.

Why don't you show us how it is done?

Lead by example.

[fr_freak]

Bring it on. I would welcome the demise of the internet.

The internet is pretty much dead, anyway. People use it for games and commerce, but as an information and communication tool, it is pretty much dead. Anyone who remembers the internet from the 90s, for example, will remember it as the Wild West. It was truly free, and people could say what they wanted, no matter how distasteful or unpopular. Search engines returned actual legitimate returns, rather than ads or algorithm-influenced psy-ops.

And discussion forums had real people in them who gave real opinions. Now, I would wager that something approaching half of all such traffic are bots or paid "influencers". Even here on FR, we seem to have a significant population of shills.

We'd all be better off just reading a book and then heading down to the pub.

[MinorityRepublican]

No FR, no X.

Instead of Trump getting reelected, Kamala Harris would have been our President right now.

[daniel1212]

53 minute video..... Know anything about the content creator -- "includes paid promotion" and such? One comment said amusingly: "Only Veritasium can rickroll 1,2 million people within 7 hours after uploading a video." Veritasium Description> An element of truth - videos about science, education, and anything else we find interesting.

Videos as this should be forbidden unless accompanied by at least a Video Transcript Summary as E. Pluribus Unum posted in post 24

Which led me to provide this:

XZ Utils backdoor - https://en.wikipedia.org/wiki/XZ_Utils_backdoor

In February 2024, a malicious backdoor was introduced to the Linux build of the xz utility within the liblzma library in versions 5.6.0 and 5.6.1 by an account using the name "Jia Tan".^[b][4] The backdoor gives an attacker who possesses a specific Ed448 private key remote code execution through OpenSSH on the affected Linux system. The issue has been given the Common Vulnerabilities and Exposures number CVE-2024-3094^[5] and has been assigned a CVSS score of 10.0, the highest possible score.^[6]

While xz is commonly present in most Linux distributions, at the time of discovery the backdoored version had not yet been widely deployed to production systems, but was present in development versions of major distributions.^[7] The backdoor was discovered by the software developer Andres Freund, who announced his findings on 29 March 2024.^[8]

Contents

• 1 Background
• 2 Mechanism
• 3 Response
  • 3.1 Remediation
  • 3.2 Broader response
• 4 Notes
• 5 References
• 6 External links

Background

[edit]

Microsoft employee and PostgreSQL developer Andres Freund reported the backdoor after investigating a performance regression in Debian Sid.^[9] Freund noticed that SSH connections were generating an unexpectedly high amount of CPU usage as well as causing errors in Valgrind,^[10] a memory debugging tool.^[11] Freund reported his finding to Openwall Project's open source security mailing list,^[10] which brought it to the attention of various software vendors.^[11] The attacker made efforts to obfuscate the code,^[12] as the backdoor consists of multiple stages that act together.^[13]

Once the compromised version is incorporated into the operating system, it alters the behavior of OpenSSH's SSH server daemon by abusing the systemd library, allowing the attacker to gain administrator access.^[13][11] According to the analysis by Red Hat, the backdoor can "enable a malicious actor to break sshd authentication and gain unauthorized access to the entire system remotely".^[14]

A subsequent investigation found that the campaign to insert the backdoor into the XZ Utils project was a culmination of approximately three years of effort, between November 2021 and February 2024,^[15] by a user going by the name Jia Tan and the nickname JiaT75 to gain access to a position of trust within the project. After a period of pressure on the founder and head maintainer to hand over the control of the project via apparent sock puppetry, Jia Tan gained the position of co-maintainer of XZ Utils and was able to sign off on version 5.6.0, which introduced the backdoor, and version 5.6.1, which patched some anomalous behavior that could have been apparent during software testing of the operating system.^[11]

Some of the suspected sock puppetry pseudonyms include accounts with usernames like Jigar Kumar, krygorin4545, and misoeater91. It is suspected that the names Jia Tan, as well as the supposed code author Hans Jansen (for versions 5.6.0 and 5.6.1), are pseudonyms chosen by the participants of the campaign. Neither have any sort of visible public presence in software development beyond the short few years of the campaign.^[16][17][18]

The backdoor was notable for its level of sophistication and for the fact that the perpetrator practiced a high level of operational security for a long period of time while working to attain a position of trust. American security researcher Dave Aitel has suggested that it fits the pattern attributable to APT29, an advanced persistent threat actor believed to be working on behalf of the Russian Foreign Intelligence Service (SVR).^[15] Journalist Thomas Claburn suggested that it could be any state actor or a non-state actor with considerable resources.^[19]

Mechanism

[edit]

The malicious code is known to be in 5.6.0 and 5.6.1 releases of the XZ Utils software package. The exploit remains dormant unless a specific third-party patch of the SSH server is used. Under the right circumstances this interference could potentially enable a malicious actor to break sshd authentication and gain unauthorized access to the entire system remotely.^[14] The malicious mechanism consists of two compressed test files that contain the malicious binary code. These files are available in the git repository, but remain dormant unless extracted and injected into the program.^[4] The code uses the glibc IFUNC mechanism to replace an existing function in OpenSSH called RSA_public_decrypt with a malicious version. OpenSSH normally does not load liblzma, but a common third-party patch used by several Linux distributions causes it to load libsystemd, which in turn loads lzma.^[4] A modified version of build-to-host.m4 was included in the release tar file uploaded on GitHub, which extracts a script that performs the actual injection into liblzma. This modified m4 file was not present in the git repository; it was only available from tar files released by the maintainer separate from git.^[4] The script appears to perform the injection only when the system is being built on an x86-64 Linux system that uses glibc and GCC and is being built via dpkg or rpm.^[4]

Response

[edit]

Remediation

[edit]

The US federal Cybersecurity and Infrastructure Security Agency issued a security advisory recommending that the affected devices should roll back to a previous uncompromised version.^[20] Linux software vendors, including Red Hat, SUSE, and Debian, reverted the affected packages to older versions.^[14][21][22] GitHub disabled the mirrors for the xz repository before subsequently restoring them.^[23]

Canonical postponed the beta release of Ubuntu 24.04 LTS and its flavours by a week and opted for a complete binary rebuild of all the distribution's packages.^[24] Although the stable version of Ubuntu was not affected, upstream versions were. This precautionary measure was taken because Canonical could not guarantee by the original release deadline that the discovered backdoor did not affect additional packages during compilation.^[25]

In August 2025, Binarly researchers found several Debian Docker images on Docker Hub that still have the XZ Utils backdoor.^[26][27][28] The Debian development team declined to remove the affected images, stating that they were development builds that should not be used on real systems in place of newer, clean container versions.^[27][26]

Broader response

[edit]

Following the incident, the Open Source Security Foundation (OpenSSF) and OpenJS Foundation issued a joint warning that the XZ Utils backdoor "may not be an isolated incident", reporting that similar social engineering attempts had targeted JavaScript projects hosted by OpenJS.^[29] The foundations warned maintainers to watch for "friendly yet aggressive and persistent pursuit" by unknown community members seeking maintainer status.^[30]

Computer scientist Alex Stamos opined that "this could have been the most widespread and effective backdoor ever planted in any software product", noting that had the backdoor remained undetected, it would have "given its creators a master key to any of the hundreds of millions of computers around the world that run SSH".^[31] In addition, the incident also started a discussion regarding the viability of having critical pieces of cyberinfrastructure depend on unpaid volunteers.^[32]

">

[daniel1212]

Source: https://en.wikipedia.org/wiki/XZ_Utils_backdoor

[daniel1212]

Thx.

Computer scientist Alex Stamos opined that "this could have been the most widespread and effective backdoor ever planted in any software product", noting that had the backdoor remained undetected, it would have "given its creators a master key to any of the hundreds of millions of computers around the world that run SSH".[31] In addition, the incident also started a discussion regarding the viability of having critical pieces of cyberinfrastructure depend on unpaid volunteers.[32] - https://en.wikipedia.org/wiki/XZ_Utils_backdoor

[fr_freak]

No FR, no X.
Instead of Trump getting reelected, Kamala Harris would have been our President right now.

Maybe (and we just barely squeaked by with that X thing, God bless Musk), but I blame those exact types of forums for the inexplicable rise of leftism in this country, especially the particularly ridiculous forms of leftism, such as transsexualism. Twitter, for example, as it was when it was fully censored, was what provided cover for the 2020 election steal AND the COVID hoax. It was nothing but an extremely useful psy-op tool for our enemies to use against us. If Musk hadn't bought it, Kamala WOULD have been president (also through fraud, but whatever).

The internet is the very definition of a double-edged sword, except that our enemies seem to have the advantage with it, precisely because you CAN'T see who is propagandizing you face-to-face.

[MinorityRepublican]

but I blame those exact types of forums for the inexplicable rise of leftism in this country

No internet. We'll go back to 1974 when Richard Nixon was forced to resign and there was nothing that we could do about it.

Except it'll be worse now because the Left had decades to take over all the institutions.

The internet saved our @$$es.

[fr_freak]

The internet saved our @$$es.

Maybe it did, but the question is whether it is still a tool capable of saving our asses or a tool more capable of ruining us. I guarantee that the intel agencies are working hard on a way to co-opt X and everything else as we speak.

I have often thought that returning to the old bulletin board style of communication may be the solution, using VPN tunnels rather than dial-up, to weed out the intel agencies, but nothing is perfect.

Pre-internet, we were boned because too many people trusted the media without question. If we were ever to go back to that, yeah we're screwed. I would hope that we wouldn't go back to that, but we do suffer from a preponderance of the stupid, gullible, and lazy.

[MinorityRepublican]

I guarantee that the intel agencies are working hard on a way to co-opt X and everything else as we speak.

Nah.

Not as long as Elon Musk is running it.

[fr_freak]

I hope you’re right.