I’m genuinely disturbed that a person who was a core developer could just go rogue.

From what I’ve been reading, it sounds like they were malicious from the very beginning. The work to integrate the malware goes back to 2021. boehs.org/…/everything-i-know-about-the-xz-backdo…

It’s an extremely sophisticated attack that was hidden very well, and was only accidentally discovered by someone who noticed that rejected SSH connections (eg invalid key or password) were using more CPU power and taking 0.5s longer than they should have. mastodon.social/…/112180406142695845

From that post, commits set to UTC+0800 and activity between UTC 12-17 indicate that the programmer wasn’t operating from California but from another country starting with C. The name is also another hint.

That could be part of their plan though… Make people think they’re from China when in reality they’re a state-sponsored actor from a different country. Hard to tell at this point. The scary thing is they got very close to sneaking this malware in undetected.

A lot of critical projects are only maintained by one person who may end up burning out, so I’m surprised we haven’t seen more attacks like this. Gain the trust of the maintainer (maybe fix some bugs, reply to some mailing-list posts, etc), take over maintenance, and slowly add some malware one small piece at a time, interspersed with enough legit commits that you become one of the top contributors (and thus people start implicitly trusting you).

Edit: Based on this analysis, they may have been based in a European timezone and just changed their timezone to UTC+8 before committing to Git to make it look like they were in China: …substack.com/…/xz-backdoor-times-damned-times-an…. Their commits were usually between 9 am and 6 pm Eastern European Time, and there are a few commits where the timezone was set to UTC+2 instead of UTC+8.

Except China is one of the countries involved in cyber warfare