References
Akamai Security Intelligence Group. 2024. XZ Utils
Backdoor — Everything You Need to Know, and What You Can Do. https://www.akamai.com/blog/security-research/critical-linux-backdoor-xz-utils-discovered-what-to-know.
Alpha-Omega. 2022. 2022 Annual Report. Open
Source Security Foundation (OpenSSF). https://openssf.org/wp-content/uploads/2022/12/OpenSSF-Alpha-Omega-Annual-Report-2022.pdf.
Alpha-Omega. 2024. 2023 Annual Report. Open
Source Security Foundation (OpenSSF). https://alpha-omega.dev/wp-content/uploads/sites/22/2024/02/Alpha-Omega-Annual-Report-2023.pdf.
Alpha-Omega. 2025. 2024 Annual Report. Open
Source Security Foundation (OpenSSF). https://alpha-omega.dev/wp-content/uploads/sites/22/2025/01/Alpha-Omega-Annual-Report-2024_012925.pdf.
Alpha-Omega. n.d. “About Alpha-Omega.” Accessed May 31,
2026. https://alpha-omega.dev/about/about-alpha-omega/.
Beaumont, Kevin. 2024. Inside the Failed Attempt to Backdoor
SSH Globally — That Got Caught by Chance. https://doublepulsar.com/inside-the-failed-attempt-to-backdoor-ssh-globally-that-got-caught-by-chance-bbfe628fafdd.
Benkler, Yochai. 2006. The Wealth of Networks: How Social Production
Transforms Markets and Freedom. Yale University Press.
Binarly REsearch. 2025. Persistent Risk: XZ Utils
Backdoor Still Lurking in Docker Images. Binarly. https://www.binarly.io/blog/persistent-risk-xz-utils-backdoor-still-lurking-docker.
Boehs, Evan. 2024. Everything I Know about the
XZ Backdoor. https://boehs.org/node/everything-i-know-about-the-xz-backdoor.
Bonaccorso, Salvatore. 2024. xz-utils
Security Update. Debian Security Advisory DSA-5649-1. Debian
Project. https://lists.debian.org/debian-security-announce/2024/msg00057.html.
Bowker, Geoffrey C., and Susan Leigh Star. 1999. Sorting Things Out:
Classification and Its Consequences. MIT Press.
Buchanan, Ben. 2020. The Hacker and the State: Cyber Attacks and the
New Normal of Geopolitics. Harvard University Press.
Chance, Gloria. 2023. Tips and Strategies for Reducing Stress and
Burnout by Creating Psychological Safety. https://lpc.events/event/17/sessions/153/.
Coleman, E. Gabriella. 2013. Coding Freedom: The Ethics and
Aesthetics of Hacking. Princeton University Press.
Collin, Lasse. 2022. Re: [Xz-Devel] XZ for Java. https://www.mail-archive.com/xz-devel@tukaani.org/msg00567.html.
Collin, Lasse. 2024a. Remove the Backdoor Found in 5.6.0 and 5.6.1
(CVE-2024-3094). Git commit
e93e13c8b3bec925c56e0c0b675d8000a0f7f754 in tukaani-project/xz. GitHub.
https://github.com/tukaani-project/xz/commit/e93e13c8b3bec925c56e0c0b675d8000a0f7f754.
Collin, Lasse. 2024b. XZ Utils Review Notes. https://tukaani.org/xz-backdoor/review.html.
Collin, Lasse. n.d. XZ Utils Backdoor. Accessed
May 31, 2025. https://tukaani.org/xz-backdoor/.
Corbet, Jonathan. 2024. A Backdoor in xz. LWN.net. https://lwn.net/Articles/967180/.
Corbet, Jonathan, and Greg Kroah-Hartman. 2016. Linux
Kernel Development: How Fast It Is Going, Who Is Doing It, What They Are
Doing and Who Is Sponsoring the Work. Linux Foundation. https://www.linuxfoundation.org/hubfs/lf_pub_whowriteslinux2016.pdf.
Cox, Russ. 2019. “Surviving Software Dependencies.”
Communications of the ACM 62 (9): 36–43. https://doi.org/10.1145/3347446.
Cox, Russ. 2024. Timeline of the Xz Open Source Attack. https://research.swtch.com/xz-timeline.
Cusumano, Michael A. 2005. “Foreword.” In Perspectives
on Free and Open Source Software, edited by Joseph Feller, Brian
Fitzgerald, Scott A. Hissam, and Karim R. Lakhani. MIT Press.
CVE Program. 2024. Xz: Malicious Code in Distributed
Source. CVE Record. CVE Program. https://www.cve.org/CVERecord?id=CVE-2024-3094.
Cyber Safety Review Board. 2022. Review of the December 2021
Log4j Event. U.S. Department of Homeland Security. https://www.cisa.gov/sites/default/files/2023-02/CSRB-Report-on-Log4j-PublicReport-July-11-2022-508-Compliant.pdf.
Cybersecurity and Infrastructure Security Agency. 2023.
CISA Open Source Software Security Roadmap. U.S.
Department of Homeland Security. https://www.cisa.gov/sites/default/files/2023-09/CISA-Open-Source-Software-Security-Roadmap-508c.pdf.
Cybersecurity and Infrastructure Security Agency. 2024a. Reported
Supply Chain Compromise Affecting XZ Utils Data Compression
Library, CVE-2024-3094. https://www.cisa.gov/news-events/alerts/2024/03/29/reported-supply-chain-compromise-affecting-xz-utils-data-compression-library-cve-2024-3094.
Cybersecurity and Infrastructure Security Agency. 2024b. Secure
Software Development Attestation Form. https://www.cisa.gov/sites/default/files/2024-04/Self_Attestation_Common_Form_FINAL_508c.pdf.
Cybersecurity and Infrastructure Security Agency. 2025. 2025 Minimum
Elements for a Software Bill of Materials (SBOM).
Public comment draft. U.S. Department of Homeland Security. https://www.cisa.gov/sites/default/files/2025-08/2025_CISA_SBOM_Minimum_Elements.pdf.
Deng, Peng, Lei Zhang, Yuchuan Meng, Zhemin Yang, Yuan Zhang, and Min
Yang. 2025. “ChainFuzz: Exploiting Upstream
Vulnerabilities in Open-Source Supply Chains.” 34th USENIX
Security Symposium (USENIX Security 25) (Seattle, WA), August. https://www.usenix.org/conference/usenixsecurity25/presentation/deng.
Durumeric, Zakir, James Kasten, David Adrian, et al. 2014. “The
Matter of Heartbleed.” Proceedings of the 2014 Conference on
Internet Measurement Conference (IMC ’14) (New York), November 5,
475–88. https://doi.org/10.1145/2663716.2663755.
Eghbal, Nadia. 2016. Roads and Bridges: The Unseen Labor Behind Our
Digital Infrastructure. Ford Foundation. https://www.fordfoundation.org/learning/library/research-reports/roads-and-bridges-the-unseen-labor-behind-our-digital-infrastructure/.
Eghbal, Nadia. 2020. Working in Public: The Making and Maintenance
of Open Source Software. Stripe Press.
Ellis, Ryan, and Jaikrishna Bollampalli. 2024. Bug Bounties and
FOSS: Opportunities, Risks, and a Path Forward.
Sovereign Tech Fund. https://www.sovereign.tech/public/files/Bug-Bounties-and-FOSS-EN.pdf.
emaste. 2024. Tar: Make Error Reporting
More Robust and Use Correct Errno. Pull request 2101,
libarchive/libarchive. GitHub. https://github.com/libarchive/libarchive/pull/2101.
European Parliament and Council of the European Union. 2024.
Regulation (EU) 2024/2847 of the European Parliament
and of the Council of 23 October 2024 on Horizontal Cybersecurity
Requirements for Products with Digital Elements and Amending Regulations
(EU) No 168/2013 and (EU) 2019/1020 and
Directive (EU) 2020/1828 (Cyber Resilience
Act). https://eur-lex.europa.eu/eli/reg/2024/2847/oj.
European Union Agency for Cybersecurity (ENISA). 2021.
ENISA Threat Landscape for Supply Chain Attacks.
European Union Agency for Cybersecurity (ENISA). https://doi.org/10.2824/168593.
Executive Office of the President. 2021. Executive Order 14028 of May 12, 2021: Improving
the Nation’s Cybersecurity. https://www.govinfo.gov/content/pkg/FR-2021-05-17/pdf/2021-10460.pdf.
FireEye. 2020. Highly Evasive Attacker Leverages
SolarWinds Supply Chain to Compromise Multiple Global
Victims with SUNBURST Backdoor. https://cloud.google.com/blog/topics/threat-intelligence/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.
Fogel, Karl. 2020. Producing Open Source Software: How to Run a
Successful Free Software Project. 2nd ed. https://producingoss.com/.
Freire, Rodrigo. 2024. Understanding Red Hat’s Response
to the XZ Security Incident. Red Hat. https://www.redhat.com/en/blog/understanding-red-hats-response-xz-security-incident.
Freund, Andres. 2024a. A Chat about the XZ Backdoor
with the Guy Who Found It. Podcast interview by Patrick Gray and
Adam Boileau, episode 743. Risky Business. https://risky.biz/RB743/.
Freund, Andres. 2024b. Backdoor in Upstream Xz/Liblzma Leading to
Ssh Server Compromise. https://www.openwall.com/lists/oss-security/2024/03/29/4.
Freund, Andres. 2024c. Discovering the XZ Backdoor with
Andres Freund. Podcast interview by Bryan Cantrill and Adam
Leventhal. Oxide and Friends.
Freund, Andres. 2024d. I Accidentally Found a Security Issue While
Benchmarking Postgres Changes. https://mastodon.social/@AndresFreundTec/112180083704606941.
Freund, Andres, and Thomas Roccia. 2024. Behind the Scenes of the
XZ Vuln with Andres Freund and Thomas Roccia. Podcast
interview by Sherrod DeGrippo, episode 18. Microsoft Threat Intelligence
Podcast.
Gates, William H. 1976. “An Open Letter to Hobbyists.”
Homebrew Computer Club Newsletter 2 (1): 2. https://commons.wikimedia.org/wiki/File:Bill_Gates_Letter_to_Hobbyists.jpg.
Glyph. 2024. I Really Hope That This Causes an Industry-Wide
Reckoning. https://mastodon.social/@glyph/112180922900094371.
Goodin, Dan. 2024. What We Know about the xz Utils Backdoor That Almost Infected the
World. https://arstechnica.com/security/2024/04/what-we-know-about-the-xz-utils-backdoor-that-almost-infected-the-world/.
Greenberg, Andy. 2019. Sandworm: A New Era of Cyberwar and the Hunt
for the Kremlin’s Most Dangerous Hackers. Doubleday.
Greenberg, Andy. 2022. Tracers in the Dark: The Global Hunt for the
Crime Lords of Cryptocurrency. Doubleday.
Haruyama, Takahiro. 2025. Docker Hub Debian Image Contains
CVE-2024-3094 Backdoor. Issue \#246 in
debuerreotype/docker-debian-artifacts. GitHub. https://github.com/debuerreotype/docker-debian-artifacts/issues/246.
Hess, Joey. 2024. “revert to version that
does not contain changes by bad actor.” Bug report
1068024, package xz-utils. Debian Bug Tracking System, March 29. https://bugs.debian.org/1068024.
Hoffmann, Manuel, Frank Nagle, and Yanuo Zhou. 2024. The Value of
Open Source Software. Working Paper Nos. 24-038.
Harvard Business School Strategy Unit. https://doi.org/10.2139/ssrn.4693148.
James, Sam. 2024a. “=app-arch/xz-utils-5.6.0,
=app-arch/xz-utils-5.6.1: backdoor in release tarballs.”
Bug report 928134, Gentoo Security. Gentoo Bugzilla, March 29. https://bugs.gentoo.org/928134.
James, Sam. 2024b. FAQ on the Xz-Utils Backdoor
(CVE-2024-3094). https://gist.github.com/thesamesam/223949d5a074ebc3dce9ee78baad9e27.
Jansen, Hans. 2024. xz-utils: New upstream
version available. Bug report 1067708, package xz-utils.
Debian Bug Tracking System. https://bugs.debian.org/1067708.
JiaT75. 2021. Added Error Text to Warning When Untaring with bsdtar. Pull request 1609,
libarchive/libarchive. GitHub. https://github.com/libarchive/libarchive/pull/1609.
Kali Linux. 2024. All about the xz-utils
Backdoor. https://www.kali.org/blog/about-the-xz-backdoor/.
Kalu, Kelechi G., Tanmay Singla, Chinenye Okafor, Santiago Torres-Arias,
and James C. Davis. 2025. “An Industry Interview Study of Software
Signing for Supply Chain Security.” 34th USENIX Security
Symposium (USENIX Security 25) (Seattle, WA), August, 81–100. https://www.usenix.org/conference/usenixsecurity25/presentation/kalu.
Kaspersky GReAT. 2024a. Assessing the Y, and How, of
the XZ Utils Incident. https://securelist.com/xz-backdoor-story-part-2-social-engineering/112476/.
Kaspersky GReAT. 2024b. XZ Backdoor Story: Initial
Analysis. https://securelist.com/xz-backdoor-story-part-1/112354/.
Keefe, Patrick Radden. 2021. Empire of Pain: The Secret History of
the Sackler Dynasty. Doubleday.
Knuth, Donald E. 1974. “Computer Programming as an Art.”
Communications of the ACM 17 (12): 667–73. https://doi.org/10.1145/361604.361612.
Krebs, Brian. 2024. Some Thoughts about Attribution in the
XZ Backdoor. https://infosec.exchange/@briankrebs/112197305365490518.
Lakhani, Karim R., and Robert G. Wolf. 2005. “Why Hackers Do What
They Do: Understanding Motivation and Effort in Free/Open Source
Software Projects.” In Perspectives on Free and Open Source
Software, edited by Joseph Feller, Brian Fitzgerald, Scott A.
Hissam, and Karim R. Lakhani. MIT Press.
Leite, Anderson. 2024. XZ Backdoor: Hook Analysis.
https://securelist.com/xz-backdoor-part-3-hooking-ssh/113007/.
Lerner, Josh, and Jean Tirole. 2005. “Economic Perspectives on
Open Source.” In Perspectives on Free and Open Source
Software, edited by Joseph Feller, Brian Fitzgerald, Scott A.
Hissam, and Karim R. Lakhani. MIT Press.
Linux Foundation. 2020. 2020 Linux Kernel History
Report. Linux Foundation. https://www.linuxfoundation.org/resources/publications/linux-kernel-history-report-2020.
Linux Foundation. 2026. https://www.linuxfoundation.org/press/linux-foundation-announces-12.5-million-in-grant-funding-from-leading-organizations-to-advance-open-source-security.
Maffulli, Stefano. 2023. Meta’s LLaMa License Is Not
Open Source. Open Source Initiative. https://opensource.org/blog/metas-llama-2-license-is-not-open-source.
Mandiant. 2022. Assembling the Russian Nesting Doll:
UNC2452 Merged into APT29. https://cloud.google.com/blog/topics/threat-intelligence/unc2452-merged-into-apt29/.
Mastery Learning. 2024. Linus Torvalds: XZ Utils Breach
Raises Questions about Trust in Open Source Development. https://www.youtube.com/watch?v=vtce4vmZIC8.
Mazurov, Nikita. 2024. The Other Players Who Helped (Almost) Make
the World’s Biggest Backdoor Hack. The Intercept. https://theintercept.com/2024/04/03/linux-hack-xz-utils-backdoor/.
Meiklejohn, Sarah, Marjori Pomarole, Grant Jordan, et al. 2013. “A
Fistful of Bitcoins: Characterizing Payments Among Men with No
Names.” Proceedings of the 2013 Conference on Internet
Measurement Conference (IMC ’13) (New York), October 23, 127–39. https://doi.org/10.1145/2504730.2504747.
Meissner, Marcus. 2024. openSUSE
Addresses Supply Chain Attack Against xz
Compression Library. openSUSE. https://news.opensuse.org/2024/03/29/xz-backdoor/.
Meta. 2024a. Llama 3.1 Acceptable Use Policy. https://www.llama.com/llama3_1/use-policy.
Meta. 2024b. Llama 3.1 Community License
Agreement. https://github.com/meta-llama/llama-models/blob/main/models/llama3_1/LICENSE.
Moody, Glyn. 2001. Rebel Code: Linux and the Open Source
Revolution. Perseus.
Munroe, Randall. 2020. “Dependency.” August 17. https://xkcd.com/2347/.
Nagle, Frank, David A. Wheeler, Hila Lifshitz-Assaf, Haylee Ham, and
Jennifer L. Hoffman. 2020. Report on the 2020 FOSS
Contributor Survey. The Linux Foundation; Laboratory for Innovation
Science at Harvard. https://www.linuxfoundation.org/wp-content/uploads/2020FOSSContributorSurveyReport_121020.pdf.
Nagle, Frank, Jessica Wilkerson, James Dana, and Jennifer L. Hoffman.
2020. Vulnerabilities in the Core: Preliminary Report and Census
II of Open Source Software. The Linux Foundation; The
Laboratory for Innovation Science at Harvard.
National Institute of Standards and Technology. 2022. Secure
Software Development Framework (SSDF) Version 1.1:
Recommendations for Mitigating the Risk of Software Vulnerabilities
(NIST SP 800-218). U.S. Department of Commerce. https://doi.org/10.6028/NIST.SP.800-218.
National Telecommunications and Information Administration. 2021.
The Minimum Elements for a Software Bill of Materials
(SBOM). U.S. Department of Commerce. https://www.ntia.gov/report/2021/minimum-elements-software-bill-materials-sbom.
O’Mahony, Siobhán. 2005. “Nonprofit Foundations and Their Role in
Community-Firm Software Collaboration.” In Perspectives on
Free and Open Source Software, edited by Joseph Feller, Brian
Fitzgerald, Scott A. Hissam, and Karim R. Lakhani. MIT Press.
Office of Management and Budget. 2022. Enhancing the Security of the
Software Supply Chain Through Secure Software Development
Practices. https://bidenwhitehouse.archives.gov/wp-content/uploads/2022/09/M-22-18.pdf.
Office of Management and Budget. 2026. Adopting a Risk-Based
Approach to Software and Hardware Security. https://www.whitehouse.gov/wp-content/uploads/2026/01/M-26-05-Adopting-a-Risk-based-Approach-to-Software-and-Hardware-Security.pdf.
Ohm, Marc, Henrik Plate, Arnold Sykosch, and Michael Meier. 2020.
“Backstabber’s Knife Collection: A Review of Open Source Software
Supply Chain Attacks.” arXiv Preprint arXiv:2005.09535,
May 19. https://arxiv.org/abs/2005.09535.
Open Source Initiative. 2007. The Open Source Definition. https://opensource.org/osd.
OpenSSH. 2024. OpenSSH 9.8/9.8p1 Release Notes. https://www.openssh.com/txt/release-9.8.
OpenSSL. n.d. “RSA_private_encrypt,
RSA_public_decrypt.” Accessed June 1,
2026. https://docs.openssl.org/master/man3/RSA_private_encrypt/.
Osborne, Cailean, Paul Sharratt, Dawn Foster, and Mirko Boehm. 2024.
“A Toolkit for Measuring the Impacts of Public Funding on Open
Source Software Development.” arXiv Preprint
arXiv:2411.06027, November 9. https://arxiv.org/abs/2411.06027.
Ostrom, Elinor. 1990. Governing the Commons: The Evolution of
Institutions for Collective Action. Cambridge University Press.
Perlroth, Nicole. 2021. This Is How They Tell Me the World Ends: The
Cyberweapons Arms Race. Bloomsbury.
Ponta, Serena Elisa, Henrik Plate, and Antonino Sabetta. 2020.
“Detection, Assessment and Mitigation of Vulnerabilities in Open
Source Dependencies.” Empirical Software Engineering 25
(5): 3175–215. https://doi.org/10.1007/s10664-020-09830-x.
PostgreSQL Core Team. 2020. New PostgreSQL Core Team
Members. https://www.postgresql.org/about/news/new-postgresql-core-team-members-2103/.
Przymus, Piotr, and Thomas Durieux. 2025. “Wolves in the
Repository: A Software Engineering Analysis of the XZ Utils
Supply Chain Attack.” 22nd IEEE/ACM
International Conference on Mining Software Repositories,
MSR@ICSE 2025, Ottawa, ON, Canada, April 28-29, 2025,
April 28, 91–102. https://doi.org/10.1109/MSR66628.2025.00026.
Raymond, Eric S. 2001. The Cathedral and the Bazaar: Musings on
Linux and Open Source by an Accidental Revolutionary. Revised.
O’Reilly.
Red Hat. 2024. Urgent Security Alert for Fedora Linux
40 and Fedora Rawhide Users. https://www.redhat.com/en/blog/urgent-security-alert-fedora-40-and-rawhide-users.
Rid, Thomas. 2020. Active Measures: The Secret History of
Disinformation and Political Warfare. Farrar, Straus; Giroux.
Roccia, Thomas. 2024. The XZ Backdoor Story: The
Undercover Operation That Set the Internet on Fire. Conference
talk. DEF CON 32. https://www.youtube.com/watch?v=hwuIb-Vv2Ew.
Roncone, Gabby, Dan Black, John Wolfram, et al. 2024.
APT44: Unearthing Sandworm. Mandiant / Google
Cloud Threat Intelligence. https://services.google.com/fh/files/misc/apt44-unearthing-sandworm.pdf.
Schorlemmer, Taylor R., Kelechi G. Kalu, Luke Chigges, et al. 2024.
“Signing in Four Public Software Package Registries: Quantity,
Quality, and Influencing Factors.” 2024 IEEE Symposium on
Security and Privacy (SP), May, 1160–78. https://doi.org/10.1109/SP54263.2024.00215.
Star, Susan Leigh. 1999. “The Ethnography of
Infrastructure.” American Behavioral Scientist 43 (3):
377–91. https://doi.org/10.1177/00027649921955326.
Stoll, Clifford. 1989. The Cuckoo’s Egg: Tracking a Spy Through the
Maze of Computer Espionage. Doubleday.
Tidelift. 2023. The 2023 Tidelift State of the Open Source
Maintainer Report. Tidelift. https://tidelift.com/open-source-maintainer-survey-2023.
Torvalds, Linus. 1991. What Would You Like to See Most in
Minix? https://groups.google.com/g/comp.os.minix/c/dlNtH7RRrGA.
Torvalds, Linus, and David Diamond. 2001. Just for Fun: The Story of
an Accidental Revolutionary. HarperBusiness.
Tukaani Project. n.d.-a. “LZMA Utils.”
Accessed June 7, 2026. https://tukaani.org/lzma/.
Tukaani Project. n.d.-c. LZMA Utils README.
Accessed June 7, 2026. https://git.tukaani.org/?p=lzma.git;a=blob_plain;f=README;hb=HEAD.
Tukaani Project. n.d.-d. “XZ Utils.” Accessed
June 7, 2026. https://tukaani.org/xz/.
Valsorda, Filippo. 2024. Preliminary Analysis of the XZ
Utils Backdoor Payload. https://bsky.app/profile/filippo.abyssdomain.expert/post/3kowjkx2njy2b.
Weems, Anthony. 2024. Xzbot: Notes, Honeypot, and Exploit Demo for
the Xz Backdoor (CVE-2024-3094). https://github.com/amlweems/xzbot.
Williams, Sam. 2010. Free as in Freedom (2.0): Richard Stallman and
the Free Software Revolution. 2nd ed. Free Software Foundation. https://static.fsf.org/nosvn/faif-2.0.pdf.
xz-devel mailing list. 2022.
Pressure-Campaign Correspondence on the Xz-Devel Mailing List.
https://www.mail-archive.com/xz-devel@tukaani.org/.
Zalewski, Michał. 2024. Techies Vs Spies: The xz Backdoor Debate. https://lcamtuf.substack.com/p/technologist-vs-spy-the-xz-backdoor.
Zemczak, Łukasz. 2024. Noble Numbat Beta Delayed (xz/liblzma Security Update). Ubuntu Community
Hub. https://discourse.ubuntu.com/t/noble-numbat-beta-delayed-xz-liblzma-security-update/43827.
Zetter, Kim. 2014. Countdown to Zero Day: Stuxnet and the Launch of
the World’s First Digital Weapon. Crown.
Zittrain, Jonathan L. 2008. The Future of the Internet — and How to
Stop It. Yale University Press.