Malicious xz backdoor reveals fragility of open source

**Executive summary:** A malicious backdoor was found in the xz/liblzma compression library that could allow remote code execution on vulnerable Linux systems by hooking into SSH via IFUNC/glibc; the backdoor was introduced across multiple commits (some appearing only in source tarballs) as part of a long-term infiltration and was caught early in a few bleeding-edge distributions (e.g., Fedora Rawhide/40, Debian Unstable, Kali). The report outlines the staged trust-building campaign against the maintainer, the technical mechanism and potential impact, and states attribution remains unconfirmed though the operation shows high sophistication.