4 Billion Devices Run His Code. He Said He Was Drowning. A Spy Was Already Inside.
One spy. 849 days of fake patches. A burned-out maintainer who just wanted help. A backdoor almost opened every Linux server on Earth.
Billions of devices. One unpaid maintainer. Zero defenses.
XZ Utils is a compression tool that runs on almost every Linux system in existence. When your server decompresses a package or a Docker container unpacks its layers, something handles the compression. On most Linux machines, that something is xz. It is invisible, it runs everywhere, and we don't think about it
One Finnish developer maintained it alone. His name is Lasse Collin. In 2022, he told the world he was struggling with his mental health. A likely nation-state intelligence operation had already been active for months. They knew exactly what to do with that information.
This is the story of the most sophisticated supply chain attack in open source history, and the one person it was designed to exploit.