A well-resourced, persistent intruder, usually state-backed, that works for long-term access rather than a quick break-in. Security firms track such groups under numbered labels they assign rather than names the group chose, such as APT44 (also known as Sandworm). The XZ Utils operator fits the profile of a capable, patient adversary but, unlike a tracked APT, was never identified.
backdoor
A hidden piece of code that lets someone bypass normal authentication and gain secret access to a system.
benevolent dictator
The founder or lead maintainer of an open-source project who holds final say over which changes are accepted, an authority that rests on accumulated trust and reputation rather than any formal office. Linus Torvalds is the original example, with the last word over the Linux kernel; the term generalizes to any project organized around a single trusted decision-maker. The arrangement concentrates a project’s direction, and its safety, in one person.
build
The process of turning human-readable source code into the program a computer actually runs.
bus factor
How many people would have to abruptly drop away from a project (the grim image is being hit by a bus) before it stalls because no one left understands the code. A bus factor of one means the whole project lives in a single maintainer’s head, as xz did.
CNA
CVE Numbering Authority: an organization authorized to assign CVE identifiers for vulnerabilities within its own scope. Red Hat acted as the CNA for the XZ Utils backdoor, assigning it CVE-2024-3094.
commit
A single recorded change to a project’s code, with an author and a timestamp, stored in the project’s history.
committer
A trusted project contributor with permission to write changes directly into the project’s code repository. A committer is not necessarily the sole maintainer, but has been given authority over the project’s history.
configure script
A build-time script, often named configure, that checks a machine and prepares source code to be compiled. In the backdoored xz releases, malicious commands were hidden so they ran during this preparation step, before the library was built.
CVE
Common Vulnerabilities and Exposures: the public catalog of known security flaws, and the unique number it gives each one (the XZ Utils backdoor is CVE-2024-3094).
CVSS
Common Vulnerability Scoring System: a standard scale from 0 to 10 that rates how severe a security flaw is. The XZ Utils backdoor was scored 10.0, the maximum, and rated “critical.”
CWE
Common Weakness Enumeration: a catalog of the kinds of software weakness, as distinct from the specific cases recorded as CVEs. The XZ Utils backdoor is classed CWE-506, embedded malicious code, the category for code planted on purpose rather than a flaw introduced by mistake.
Debian Free Software Guidelines (DFSG)
Debian’s criteria for what may ship as free software in its main archive, among them that a package provide real, modifiable source rather than opaque binaries. The XZ Utils payload was hidden as binary blobs disguised as test files, with no source behind them; when Lasse Collin removed the backdoor, he named this violation of the guidelines first, before the security harm.
dependency
A piece of software that another program needs in order to work.
distribution (distro)
A complete, packaged operating system (Debian, Fedora, Ubuntu) assembled from thousands of open-source components.
downstream
The direction a piece of software travels after its upstream project, out to the distributions that repackage it and the users who run it. The XZ Utils backdoor was caught while still moving downstream, before it reached stable releases.
dynamic linker
The part of a Linux system that connects a running program to the shared libraries it needs. The XZ Utils backdoor abused this machinery to reach functions used by sshd.
exploit
A technique or piece of code that turns a vulnerability into a working attack.
IFUNC
A GNU C Library mechanism that lets a program choose between different implementations of a function while a shared library is being loaded. In the XZ Utils incident, a legitimate performance feature became one of the places the backdoor could take control.
long-term support (LTS) kernel
A kernel release singled out to receive security and bug fixes for years rather than months, so distributions can build on a stable base without chasing every new version. Most everyday Linux systems run a kernel derived from one of these long-lived releases.
mainline
The canonical, official line of a project’s code that its lead maintainers release from, as opposed to the many side branches where work happens first. In the Linux kernel, a change reaches the mainline only after passing through a subsystem maintainer.
maintainer
The person, or small group, responsible for keeping a piece of software working: reviewing changes, fixing bugs, and publishing releases. Often unpaid.
NOBUS
“Nobody but us”: a backdoor or vulnerability built so that only the party who planted it can trigger it, because using it requires a secret they alone hold (in the XZ Utils case, the operator’s private signing key). A term from the intelligence world. The XZ Utils backdoor was NOBUS by design, which is why researchers who had the code still could not turn it against others, and why observing one attack would not let a defender reuse it elsewhere.
non-maintainer upload (NMU)
In Debian, a package upload made by someone other than the package’s listed maintainer, usually to fix a problem when the maintainer is unavailable or a change is urgent. In the XZ Utils incident, pressure around an NMU helped push the backdoored upstream release toward Debian.
object file
A compiled fragment of code that is not yet a complete program or library. In the backdoored xz releases, the hidden payload was extracted as an object file and linked into liblzma during the build.
open source
Software whose source code is public and free to use, study, modify, and share. The phrase is also a defined standard: the Open Source Initiative’s Open Source Definition sets out ten criteria a license must meet, among them no discrimination against any person or group and no restriction on the field of use. A license that lets anyone read the code but limits who may use it, or for what, is “source-available” rather than open source, a distinction the AI industry’s recent claims on the word have blurred.
open-source software steward
A legal category created by the EU Cyber Resilience Act for an organization, often a foundation, that sustains a free or open-source project relied on by commercial products without selling the software itself. Stewards carry lighter obligations than commercial manufacturers and, under the Act, face no fines.
package confusion attack
A class of supply-chain attack that gets a victim to install malicious code by publishing it under a name close to, or easily mistaken for, a package they meant to use; typosquatting is its commonest form. The book notes the category mainly to mark what the XZ Utils attack was not: not a lookalike planted under a deceptive name, but a real, trusted library quietly corrupted from within.
package manager
A tool that automatically downloads, installs, and updates the software packages a program or system depends on, pulling in their own dependencies in turn. On Linux distributions it is the machinery (apt on Debian and Ubuntu, dnf on Fedora) that carries code from an upstream release down to a user’s machine.
payload
The part of an attack that does the actual damage, as opposed to the parts that deliver or conceal it.
provenance
A verifiable record of where a piece of code came from and everything done to it along the way: its origin, who has owned and changed it, and when. The XZ Utils backdoor lived in the gap between a project’s public source and the release tarball built from it.
release channel
A distribution’s lane for software at a particular stability level, such as unstable, testing, pre-release, or stable. The XZ Utils backdoor reached some unstable and pre-release channels, which is different from reaching stable systems.
release tarball
The packaged archive a project publishes for people to download and build. It can differ from what is in the public code repository, which is where the XZ Utils backdoor hid.
remote code execution (RCE)
The ability to make a computer run commands from another machine. In the XZ Utils case, the concern was pre-authentication remote code execution: an attacker with the right key material could make sshd execute a command before normal login had succeeded.
repository (repo)
The version-controlled store of a project’s code and its full history of commits.
rolling release
A distribution that ships a continuous stream of updates rather than discrete, versioned editions, so its users run new software soon after it is published. openSUSE Tumbleweed is one; fast-moving channels like it took the backdoored xz quickly, while slower fixed-release editions did not.
Sandworm
The common name for the Russian military-intelligence cyber group that Mandiant designates APT44 (see advanced persistent threat). The book uses it as a contrast: a state attacker that has been publicly attributed, against the XZ Utils operator, who has not.
SBOM
Software Bill of Materials: an inventory of the components inside a piece of software, and how they depend on one another, meant to make its supply chain auditable. It records which components are present, not whether a trusted one has been tampered with.
self-attestation
A software producer’s own signed declaration that it follows specified secure-development practices, accepted by a buyer in place of independent verification. The U.S. government required it for federal software purchases from 2022 until the rule was rescinded in 2026; a producer could instead submit a third-party assessment, but in the usual case the assurance rested on a signature, not an audit.
Signed-off-by
A line a developer adds to a kernel change to certify, by name, that it may legally be included; the sequence of these lines records the chain of hands a change passed through on its way in. It documents who vouched for code, the kind of trust record the XZ Utils release process, built outside the public repository, bypassed.
social engineering
The practice of manipulating people, rather than breaking software, to win trust or access.
software supply chain
The full chain of code, people, and tools a finished program depends on. A weakness anywhere along it, a single unmaintained library or one trusted contributor, can compromise everything built on top.
SSH / sshd
Secure Shell, the standard way to log into a remote computer; sshd is the program that listens for those logins on the server.
SSH certificate / certificate authority (CA)
An SSH certificate is an ordinary SSH key bundled with identity and validity information and signed by a separate key, a certificate authority (CA), that the server has been configured to trust. Presenting one makes the server read the CA’s public key out of the certificate and verify its signature before a login can succeed. The XZ Utils backdoor used this normal step as its delivery path: a crafted certificate carried an attacker-controlled CA key whose modulus hid the encrypted command, so that the act of verifying it reached the hooked function in sshd.
stable tree / stable updates
The stream of fixes applied to a kernel after its initial release, maintained separately from new feature work. These stable updates are the base from which most distributions build the kernel they actually ship, one of the links in the chain that would have carried the XZ Utils backdoor downstream.
subsystem maintainer / subsystem tree
A maintainer who controls one part of the kernel (networking, a driver family, a filesystem) and the code branch, the subsystem tree, through which changes to that part flow before reaching the mainline. The kernel spreads authority across more than a hundred such maintainers, the opposite of the single-maintainer arrangement that left xz exposed.
systemd / libsystemd
systemd is the service manager used by many Linux distributions to start and supervise system processes. libsystemd is one of its libraries; in some distributions, patches caused sshd to load libsystemd, which in turn made liblzma reachable during SSH server startup.
test fixture
A file or input used to check that software behaves correctly. In the XZ Utils backdoor, malicious code was hidden inside binary test fixtures, a place reviewers were less likely to inspect by hand.
tragedy of the commons
The idea that a resource open to everyone and owned by no one is ruined by overuse, because each user gains from taking more while the cost of depletion is shared by all. Coined for grazing pastures and fisheries, the phrase is often stretched to open-source software; this book treats the collapse as a risk to be governed rather than an inevitable fate, and locates the resource that can actually be used up not in the code, which no one depletes by copying, but in the finite attention and trust of the maintainers who keep it alive.
transitive dependency
A dependency reached through another dependency, rather than one a program requires directly. Such indirect dependencies are easy to overlook, and a flaw in one is as dangerous as a flaw in code you chose yourself. The XZ Utils backdoor rode into sshd as a transitive dependency, by way of libsystemd and liblzma.
trusted-account misuse
The use of an account or identity that a project has learned to trust in a way that turns that trust against the project. In the XZ Utils incident, the danger was not only malicious code but the authority attached to a contributor identity that had become ordinary.
typosquatting
Registering a malicious package under a near-miss spelling of a popular one (reqeusts for requests), so that a mistyped or misremembered name installs the attacker’s copy. The commonest form of a package confusion attack, and another thing the XZ Utils backdoor was not.
upstream
The original project a piece of software comes from. Linux distributions pull code “downstream” from upstream projects, repackage it, and ship it to users; the XZ Utils backdoor was planted upstream and was weeks from flowing down into stable Debian, Fedora, and Ubuntu.
valgrind
A debugging tool that watches a program while it runs and reports memory errors and other abnormal behavior. valgrind errors were among the odd symptoms that helped expose the XZ Utils backdoor.
VEX
Vulnerability Exploitability eXchange: a machine-readable statement that a known vulnerability in a bundled component does not actually put a product at risk, because the flawed code is never reached or is not built in. It distinguishes a flaw being present from its being exploitable.
vulnerability
A flaw in software that can be abused to make it behave in ways its users never intended.
wiper
Malware built to destroy, overwriting files or a disk’s startup records, rather than to steal data or hold it for ransom. The XZ Utils backdoor was not a wiper; the term appears where the book contrasts it with the destructive operations of state cyber actors.
xz / liblzma
A widely used compression tool (xz) and the library beneath it (liblzma), installed on nearly every Linux system.
Zero Trust
A security approach that gives nothing standing trust and re-verifies every request for access, on the assumption that an attacker may already be inside the network. It is built for machine and network access and does not reach the human trust that open-source maintenance runs on.