Assessing the Y, and How, of the XZ Utils incident

This report examines a prolonged social-engineering supply-chain compromise of the XZ Utils open-source project, where multiple fictitious identities pressured the maintainer to add a co-maintainer and introduced obfuscated backdoor code (Feb–Mar 2024) designed to enable exclusive sshd access; the attackers then attempted to accelerate distribution of the backdoored upstream into major Linux distributions, with tactics and persistence comparable to major supply-chain incidents like SolarWinds.