6 Jia Tan Appears
The first trace is so ordinary that it takes an effort of will to find it sinister. On October 29, 2021, a small contribution arrived on xz-devel, the development mailing list where the few people who followed xz discussed its upkeep. It added an .editorconfig file, a short text file that tells code editors how to handle whitespace so that contributors do not trip over one another’s tabs and spaces (Cox 2024; Kaspersky GReAT 2024). It was housekeeping, the kind of tidy, unremarkable patch a conscientious newcomer sends to a project he means to stay with. The sender signed it “Jia Tan.” Two and a half years later, after the backdoor was found, that patch would be read as the opening move of a long and patient supply-chain operation. On the day it arrived, it was a config file. No one had any reason to look twice, and no one did.
The difficulty is to hold two facts together. The operation was malicious, and much of the work that made it possible looked genuinely useful at the time. Almost everything “Jia Tan” did across the first phase of the operation was indistinguishable from the work of an ordinary volunteer, and it was indistinguishable not because the disguise was elaborate but because, for most of that time, there was nothing to disguise. The work was real. The bug fixes fixed bugs, the documentation documented, the patches improved the software. To reconstruct the cultivation honestly is to resist reading the finished operation backward into its first, blameless-looking steps, and to ask instead what a reasonable maintainer, or a reasonable observer, could actually have seen at the time. The answer, again and again, is: a helpful contributor. Who was in fact behind the name remains unknown, and this book does not pretend otherwise; the attribution is taken up, and left open, in a later chapter. For now the name is only a name, kept in the quotation marks that mark it as the alias of a party still unidentified.
The footprints in this opening stretch were not all in xz. Within days of the mailing-list patch, in early November 2021, the same contributor, working on GitHub under the account JiaT75, opened a change to libarchive, a separate and widely used library for reading and writing archive files. Attached to an innocuous improvement of an error message, the change quietly replaced a call to safe_fprintf, a function that prints text while neutralizing dangerous control characters, with the plain fprintf, which does not. It was merged with no substantive discussion on November 15, 2021, and reverted on March 29, 2024, after the XZ Utils disclosure (Boehs 2024; emaste 2024; Goodin 2024; JiaT75 2021). Read in 2024, with the rest of the operation visible, the swap looks like reconnaissance: a small, deniable weakening of a safety boundary, dropped into a busy project to test the water. Read in 2021 it looks like a minor patch to an error message. Dan Goodin, recounting it later for Ars Technica, put the whole problem in a few words: “No one noticed at the time” (Goodin 2024). The security foundations that afterward dissected the campaign would describe the move as a probe “to see who would notice” (Bender Ginn and Arasaratnam 2024), but that reading was available only on the far side of the disclosure, and the change was not even in xz. At the time it was one more small contribution from one more helpful stranger.
The first change to xz itself followed a few months later. In late January 2022 “Jia Tan” submitted a small hardening fix to the library’s compression code, the routine kind that adds a missing safety check, and Lasse Collin merged it into the repository on February 6, 2022, recording the work under the contributor’s name (Cox 2024). It was, again, useful and unremarkable. A small fix that guards existing code against bad input is exactly the sort of contribution a maintainer is glad to receive and has little reason to scrutinize. From there “Jia Tan” settled into the rhythm of a regular contributor.
What followed was not a sprint toward a payload but something closer to its opposite: a year and a half of steady, real work. Russ Cox, who later reconstructed the operation’s social-engineering campaign commit by commit, compressed the whole of it into a sentence. “Over a period of over two years,” he wrote, “an attacker using the name ‘Jia Tan’ worked as a diligent, effective contributor to the xz compression library, eventually being granted commit access and maintainership” (Cox 2024). The point is not simply that Cox calls the contributor an attacker. It is how he describes the work: diligent, effective. The operation’s first phase was not a deception laid over the contribution; the contribution was the deception. The academic reconstruction of the attack, by Piotr Przymus and Thomas Durieux, found something sharper still when it sorted the contributions by type, because the bulk of the work was not even code. “[T]he main contribution of [the Attacker] during those years,” they write, “was not in the source code but instead in the documentation and translation” (Przymus and Durieux 2025, 96). Those are the lowest-scrutiny contributions a project receives. A fixed typo or a translated message string is welcome, easy to accept, and almost never read with suspicion, yet each one is another commit under the contributor’s name, another increment of standing. The credibility accrued without ever inviting the kind of review that code attracts.
The privileges followed the credibility. Some form of write access to the repository, the permission to change the code directly rather than submit changes for someone else’s approval, arrived in 2022, before the first visible exercise of merge authority the following January. Przymus and Durieux note that this access was never abused in the obvious way: the operator did not push malicious code, and did not rewrite the project’s history to cover the operation’s tracks (Przymus and Durieux 2025, 94). The git repository, the canonical, public, version-by-version record of the software’s development, stayed clean throughout. Whatever the payload would turn out to be, it would not travel through the one place everyone could watch. That distinction matters a great deal later; here it is simply one more reason the cultivation drew no fire. The identity had reach as well as depth. Kaspersky’s analysts, picking through the account afterward, counted more than five hundred contributions under JiaT75 across several unrelated open-source projects going back to early 2022, so that the xz work sat inside a wider pattern of ordinary participation, a plausible open-source résumé built in public; by the same account the account itself had been registered in January 2021 and left dormant for months before the first patch (Kaspersky GReAT 2024). These are a vendor’s retrospective findings, not contemporaneous alarms, and that is exactly the point. Assembled after the fact, they trace a deliberate, patient construction of legitimacy. Encountered one patch at a time, they were just a productive newcomer.
A security company captured the ordinariness better than any sympathizer could. “Almost two years ago,” Akamai’s researchers wrote in the days after the disclosure, “a developer under the name of Jia Tan joined the project and started opening pull requests for various bug fixes or improvements. So far, nothing is out of the ordinary; this is how things work in the open-source world” (Akamai Security Intelligence Group 2024). The sentence is an admission against interest, a security vendor conceding that the attack’s opening was indistinguishable from the normal functioning of the thing it attacked. There was no anomaly to detect, because the behavior was the norm.
That norm deserves to be stated plainly, because the operation exploited it precisely, and it is less a flaw than a founding commitment. Open-source software is built by people who mostly do not know one another and mostly never will, and its culture made a virtue of exactly that. Karl Fogel, whose handbook on running free-software projects is close to a standard text, states the welcoming principle as an ideal to aim for: “The goal is to make every user realize that there is no innate difference between himself and the people who work on the project — that it’s a question of how much time and effort one puts in, not a question of who one is” (Fogel 2020, 143). Who one is should not matter; what one contributes should. It is a generous idea, and it is also, read from the far side of XZ Utils, the precise gap the operator stepped through. Fogel makes the same point from the other direction with a story he plainly means as encouragement. A project once had a contributor whose work was good enough that no one thought to wonder about him, until it emerged that he was thirteen years old. “Because that kid didn’t write like a thirteen-year-old,” Fogel writes, “no one knew that’s what he was” (Fogel 2020, 95). Online, a contributor is only the quality and consistency of his work; everything else (age, location, employer, intention) is invisible unless he chooses to reveal it. Fogel offers this as liberation, and for a gifted teenager it is. Run against a patient operator it is the whole problem in a line: a competent, consistent contributor is indistinguishable from a competent, consistent attacker, because competence and consistency are nearly all the medium transmits.
None of this made pseudonymity itself a warning sign, because pseudonymity was unremarkable. A 2020 survey of free- and open-source contributors found that most, around 90%, worked under their real name or a stable handle linked to it, but that a small and persistent minority, roughly one in sixteen, contributed under a screen name connected to no real identity anywhere, and the culture accommodated them without friction (Nagle et al. 2020, 75). The same survey found that for nearly two-thirds of their contributions, respondents had known no one on the project before they joined (Nagle et al. 2020, 53). Trust, in other words, was routinely extended to strangers as a condition of the work getting done at all. A persistent, useful, pseudonymous contributor was not an anomaly to be explained. It was a recognized and accommodated part of the culture that kept open source alive. The habit was old, and within the field entirely respectable. Cox, writing in 2019 about the hazards of depending on other people’s code, well before anyone had reason to connect the thought to xz, described why programmers accept the arrangement so readily: “Because it’s easy, it seems to work, everyone else is doing it, and, most importantly, it seems like a natural continuation of age-old established practice. But there are important differences that are being ignored” (Cox 2019, 37). Accepting a helpful stranger’s code was not a lapse peculiar to Collin or to xz. It was the default behavior of the entire ecosystem, the thing that let a volunteer keep a library alive without auditing the life story of everyone who sent a fix.
Trust, once extended, compounds in a particular way: a contributor earns it not in a leap but by accretion, one small correct change after another, until a standing has been built that no one quite remembers granting. Linus Torvalds, recalling for the writer Glyn Moody how the early Linux kernel came to rely on its contributors, described the mechanism without a trace of alarm: “They started out so small, that I never got the feeling that, hey, how dare they impose on my system. Instead, I just said, OK, that’s right, obviously correct, and so in it went. . . . And again they grew gradually, and so at no point I felt, hey, I’m losing control” (Moody 2001). That is how legitimate maintainership has always been earned. It is also the path the operator walked: each change obviously correct, the trust gradual, the loss of control invisible because at no single moment was any control visibly lost.
All of which is why the most important corrective comes from the one person with the least reason to be generous about it. After the backdoor was exposed, Collin went back through the commits the internet had begun to flag as suspicious and annotated them in public, one by one. What he produced is not a confession but a debunking, and it is the discipline the reconstruction has to borrow. Many of the changes that looked sinister in hindsight were, Collin pointed out, simply good. Of one substantial reworking of the library’s decoder he wrote: “These are good and were created at my request. They are big but it’s hard to split them into smaller pieces. The original versions of these are from 2023-04-24. I made small edits but it was agreed that I would commit these in his name” (Collin 2024). Reviewing with full knowledge of the betrayal, the maintainer still rated the work as good, and as his own idea. The labor was real. That is not a mitigating detail; it is the mechanism. The helpfulness was not cover for the operation. For the better part of two years it was the operation.
Collin’s review punctures the hindsight reading at the level of detail, too. Among the commits the public treated as tells was one whose recorded timezone did not match Collin’s own, a discrepancy that looked, after the fact, like evidence of an impostor working from another part of the world. Every git commit is stamped with a timezone, and once the operation was known, those stamps were combed for patterns; that analysis belongs to a later chapter and stays genuinely unresolved there. But this particular clue dissolved on contact with the person involved. “This is one of the supposedly suspicous commits due to the timezone,” Collin wrote, preserving his own typo. “In reality Jia put it in my name by common agreement because I had done a significant portion of it” (Collin 2024). The commit was Collin’s own work, attributed to him by an informal arrangement in which the two of them moved changes between their names by handshake. Read forward, it is a clue. Read accurately, it is two collaborators in a tiny project not standing on ceremony. The lesson is not that the suspicious signals were all innocent, but that in real time they were unreadable, and that a great many of them, examined closely, are innocent still. The academic study reaches the same caution by a colder route. The operation, Przymus and Durieux conclude, “shows how routine project involvement can be methodically exploited, underscoring the difficulty of distinguishing between well-intentioned and malicious contributors” (Przymus and Durieux 2025, 96). The difficulty is not incidental to the finding. It is the finding.
What the patience bought, slowly, was authority. The currency of an open-source project is not money but standing, and standing converts, by degrees, into power over the code. The conversion is visible in the record. On January 7, 2023, “Jia Tan” visibly merged a change for the first time, the act of accepting a contribution into the official code rather than merely offering one, which is the practical mark of having been trusted with the keys (Boehs 2024). By the middle of that year the trust ran in the other direction as well: a performance optimization that Collin himself had written was committed to the repository under “Jia Tan’s” hand on June 27, 2023. The maintainer was now routing his own work through the newcomer. Groundwork for the same optimization had been laid a few days earlier by yet another contributor, one calling himself “Hans Jansen,” a name that would recur, and that the book returns to when it takes up the question of who was really at the keyboard (Boehs 2024).
None of this required force, and that is the unsettling part. It required persistence. Collin’s review, again, shows the texture of it. Of one set of additions to the library’s programming interface he wrote, “I found and still find these useless additions to the API. He kept insisting on them so eventually I gave in. There’s nothing technically wrong, I just think they don’t improve readability” (Collin 2024). He kept insisting, so eventually I gave in. It is worth sitting with how ordinary that is: a maintainer with limited backup, faced with a contributor who is friendly, productive, and simply will not let a point drop, eventually accepts a harmless change he still does not think improves the software. The same pattern recurs in the record more than once. There is no exploit in it, no breach, nothing a security tool could flag. There is only sustained pressure, applied through ordinary collaboration, and a project structured so that pressure on one person could be enough. And that pressure did not come only from inside the collaboration. While “Jia Tan” pressed Collin patiently across the code review, a separate chorus of insistent strangers had begun pressing him from outside, on the same mailing list, toward the same end. That campaign is the subject of the next chapter; what matters here is that the two halves were complementary, the helpful insider and the demanding outsiders converging on one maintainer with limited backup.
Step back from the detail and the strategic shape is plain. Eighteen months of genuinely useful work can be a more effective way into a critical project than a technical exploit, because the project’s defenses are built to catch bad code, while the work that earned trust was mostly useful, ordinary work. The defenses assume that bad faith arrives looking like bad faith. This arrived looking like help. Set against the ordinary run of attacks on open source, the patience is almost eccentric. The largest catalog of these incidents assembled before XZ Utils, a 2020 review by Marc Ohm and colleagues of 174 malicious packages, found that most of them, 61%, worked by typosquatting: registering a package under a name a keystroke away from a popular one, then waiting for a developer to fumble the spelling and install the imposter by mistake (Ohm et al. 2020, 12). Typosquatting is a numbers game, cheap and crude and instantly disposable. The XZ Utils operation was its opposite in every dimension. It did not impersonate a trusted project; it became one, from the inside, over years, by doing the real work. On the distribution of supply-chain attacks it sits at the far, rare, expensive end, the patient exception in a field dominated by smash-and-grab. The patterns that would later be offered as warning signs, the gradually escalating involvement, the slow accumulation of privilege, were patterns only in retrospect. Drawn forward into a checklist after the disclosure, they describe the operation exactly. Applied beforehand, they describe almost every dedicated volunteer open source has ever had.
What the patience also bought was cover for the person underneath it, and that cover has held. The care taken over the long cultivation was itself a kind of tradecraft, the discipline to spend the better part of two years being useful for the sake of a payoff that might never come. Molly, a systems administrator at the Electronic Frontier Foundation (EFF) who goes by a single name, named both halves of that discipline in one breath, speaking to The Intercept after the disclosure: “The care taken to hide the exploits in binary test files as well as the sheer time taken to gain a reputation in the open-source project to later exploit it are abnormally sophisticated” (Mazurov 2024). The reputation-building and the concealment were the same project, pursued with the same patience. The concealment is a later chapter’s subject. The reputation-building is this one’s, and at the time of writing the figure who did it remains a name in quotation marks and nothing else. Who “Jia Tan” was, whether one person or several, working for whom, is taken up where the evidence for it lives, in the chapter on the hunt, and is not resolved there, because it has not been resolved anywhere.
The cultivation worked because it asked the system to do the one thing it was built to do, accept good work from a stranger, and gave it good work to accept. By the start of 2023 the stranger held the keys. There had been no break-in. A key had been handed over, one small, reasonable concession at a time, inside a project where help was scarce and the pressure kept increasing. But the handing over was not yet finished, and the patience inside the collaboration had a louder counterpart outside it. Before the keys changed hands for good, a small crowd of strangers would spend eight weeks telling Collin, in escalating tones, that he could not be trusted to keep them.