References

Akamai Security Intelligence Group. 2024. XZ Utils Backdoor — Everything You Need to Know, and What You Can Do. https://www.akamai.com/blog/security-research/critical-linux-backdoor-xz-utils-discovered-what-to-know.
Alpha-Omega. 2022. 2022 Annual Report. Open Source Security Foundation (OpenSSF). https://openssf.org/wp-content/uploads/2022/12/OpenSSF-Alpha-Omega-Annual-Report-2022.pdf.
Alpha-Omega. 2024. 2023 Annual Report. Open Source Security Foundation (OpenSSF). https://alpha-omega.dev/wp-content/uploads/sites/22/2024/02/Alpha-Omega-Annual-Report-2023.pdf.
Alpha-Omega. 2025. 2024 Annual Report. Open Source Security Foundation (OpenSSF). https://alpha-omega.dev/wp-content/uploads/sites/22/2025/01/Alpha-Omega-Annual-Report-2024_012925.pdf.
Alpha-Omega. n.d. “About Alpha-Omega.” Accessed May 31, 2026. https://alpha-omega.dev/about/about-alpha-omega/.
Beaumont, Kevin. 2024. Inside the Failed Attempt to Backdoor SSH Globally — That Got Caught by Chance. https://doublepulsar.com/inside-the-failed-attempt-to-backdoor-ssh-globally-that-got-caught-by-chance-bbfe628fafdd.
Bender Ginn, Robin, and Omkhar Arasaratnam. 2024. XZ Utils Cyberattack Likely Not an Isolated Incident. Open Source Security Foundation (OpenSSF) and OpenJS Foundation. https://openssf.org/blog/2024/04/15/open-source-security-openssf-and-openjs-foundations-issue-alert-for-social-engineering-takeovers-of-open-source-projects/.
Benkler, Yochai. 2006. The Wealth of Networks: How Social Production Transforms Markets and Freedom. Yale University Press.
Binarly REsearch. 2025. Persistent Risk: XZ Utils Backdoor Still Lurking in Docker Images. Binarly. https://www.binarly.io/blog/persistent-risk-xz-utils-backdoor-still-lurking-docker.
Boehs, Evan. 2024. Everything I Know about the XZ Backdoor. https://boehs.org/node/everything-i-know-about-the-xz-backdoor.
Bonaccorso, Salvatore. 2024. xz-utils Security Update. Debian Security Advisory DSA-5649-1. Debian Project. https://lists.debian.org/debian-security-announce/2024/msg00057.html.
Bowker, Geoffrey C., and Susan Leigh Star. 1999. Sorting Things Out: Classification and Its Consequences. MIT Press.
Buchanan, Ben. 2020. The Hacker and the State: Cyber Attacks and the New Normal of Geopolitics. Harvard University Press.
Chance, Gloria. 2023. Tips and Strategies for Reducing Stress and Burnout by Creating Psychological Safety. https://lpc.events/event/17/sessions/153/.
Coleman, E. Gabriella. 2013. Coding Freedom: The Ethics and Aesthetics of Hacking. Princeton University Press.
Collin, Lasse. 2022. Re: [Xz-Devel] XZ for Java. https://www.mail-archive.com/xz-devel@tukaani.org/msg00567.html.
Collin, Lasse. 2024a. Remove the Backdoor Found in 5.6.0 and 5.6.1 (CVE-2024-3094). Git commit e93e13c8b3bec925c56e0c0b675d8000a0f7f754 in tukaani-project/xz. GitHub. https://github.com/tukaani-project/xz/commit/e93e13c8b3bec925c56e0c0b675d8000a0f7f754.
Collin, Lasse. 2024b. XZ Utils Review Notes. https://tukaani.org/xz-backdoor/review.html.
Collin, Lasse. n.d. XZ Utils Backdoor. Accessed May 31, 2025. https://tukaani.org/xz-backdoor/.
Corbet, Jonathan. 2024. A Backdoor in xz. LWN.net. https://lwn.net/Articles/967180/.
Corbet, Jonathan, and Greg Kroah-Hartman. 2016. Linux Kernel Development: How Fast It Is Going, Who Is Doing It, What They Are Doing and Who Is Sponsoring the Work. Linux Foundation. https://www.linuxfoundation.org/hubfs/lf_pub_whowriteslinux2016.pdf.
Cox, Russ. 2019. “Surviving Software Dependencies.” Communications of the ACM 62 (9): 36–43. https://doi.org/10.1145/3347446.
Cox, Russ. 2024. Timeline of the Xz Open Source Attack. https://research.swtch.com/xz-timeline.
Cusumano, Michael A. 2005. “Foreword.” In Perspectives on Free and Open Source Software, edited by Joseph Feller, Brian Fitzgerald, Scott A. Hissam, and Karim R. Lakhani. MIT Press.
CVE Program. 2024. Xz: Malicious Code in Distributed Source. CVE Record. CVE Program. https://www.cve.org/CVERecord?id=CVE-2024-3094.
Cyber Safety Review Board. 2022. Review of the December 2021 Log4j Event. U.S. Department of Homeland Security. https://www.cisa.gov/sites/default/files/2023-02/CSRB-Report-on-Log4j-PublicReport-July-11-2022-508-Compliant.pdf.
Cybersecurity and Infrastructure Security Agency. 2023. CISA Open Source Software Security Roadmap. U.S. Department of Homeland Security. https://www.cisa.gov/sites/default/files/2023-09/CISA-Open-Source-Software-Security-Roadmap-508c.pdf.
Cybersecurity and Infrastructure Security Agency. 2024a. Reported Supply Chain Compromise Affecting XZ Utils Data Compression Library, CVE-2024-3094. https://www.cisa.gov/news-events/alerts/2024/03/29/reported-supply-chain-compromise-affecting-xz-utils-data-compression-library-cve-2024-3094.
Cybersecurity and Infrastructure Security Agency. 2024b. Secure Software Development Attestation Form. https://www.cisa.gov/sites/default/files/2024-04/Self_Attestation_Common_Form_FINAL_508c.pdf.
Cybersecurity and Infrastructure Security Agency. 2025. 2025 Minimum Elements for a Software Bill of Materials (SBOM). Public comment draft. U.S. Department of Homeland Security. https://www.cisa.gov/sites/default/files/2025-08/2025_CISA_SBOM_Minimum_Elements.pdf.
Deng, Peng, Lei Zhang, Yuchuan Meng, Zhemin Yang, Yuan Zhang, and Min Yang. 2025. ChainFuzz: Exploiting Upstream Vulnerabilities in Open-Source Supply Chains.” 34th USENIX Security Symposium (USENIX Security 25) (Seattle, WA), August. https://www.usenix.org/conference/usenixsecurity25/presentation/deng.
Durumeric, Zakir, James Kasten, David Adrian, et al. 2014. “The Matter of Heartbleed.” Proceedings of the 2014 Conference on Internet Measurement Conference (IMC ’14) (New York), November 5, 475–88. https://doi.org/10.1145/2663716.2663755.
Eghbal, Nadia. 2016. Roads and Bridges: The Unseen Labor Behind Our Digital Infrastructure. Ford Foundation. https://www.fordfoundation.org/learning/library/research-reports/roads-and-bridges-the-unseen-labor-behind-our-digital-infrastructure/.
Eghbal, Nadia. 2020. Working in Public: The Making and Maintenance of Open Source Software. Stripe Press.
Ellis, Ryan, and Jaikrishna Bollampalli. 2024. Bug Bounties and FOSS: Opportunities, Risks, and a Path Forward. Sovereign Tech Fund. https://www.sovereign.tech/public/files/Bug-Bounties-and-FOSS-EN.pdf.
emaste. 2024. Tar: Make Error Reporting More Robust and Use Correct Errno. Pull request 2101, libarchive/libarchive. GitHub. https://github.com/libarchive/libarchive/pull/2101.
European Parliament and Council of the European Union. 2024. Regulation (EU) 2024/2847 of the European Parliament and of the Council of 23 October 2024 on Horizontal Cybersecurity Requirements for Products with Digital Elements and Amending Regulations (EU) No 168/2013 and (EU) 2019/1020 and Directive (EU) 2020/1828 (Cyber Resilience Act). https://eur-lex.europa.eu/eli/reg/2024/2847/oj.
European Union Agency for Cybersecurity (ENISA). 2021. ENISA Threat Landscape for Supply Chain Attacks. European Union Agency for Cybersecurity (ENISA). https://doi.org/10.2824/168593.
Executive Office of the President. 2021. Executive Order 14028 of May 12, 2021: Improving the Nation’s Cybersecurity. https://www.govinfo.gov/content/pkg/FR-2021-05-17/pdf/2021-10460.pdf.
FireEye. 2020. Highly Evasive Attacker Leverages SolarWinds Supply Chain to Compromise Multiple Global Victims with SUNBURST Backdoor. https://cloud.google.com/blog/topics/threat-intelligence/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.
Fogel, Karl. 2020. Producing Open Source Software: How to Run a Successful Free Software Project. 2nd ed. https://producingoss.com/.
Freire, Rodrigo. 2024. Understanding Red Hat’s Response to the XZ Security Incident. Red Hat. https://www.redhat.com/en/blog/understanding-red-hats-response-xz-security-incident.
Freund, Andres. 2024a. A Chat about the XZ Backdoor with the Guy Who Found It. Podcast interview by Patrick Gray and Adam Boileau, episode 743. Risky Business. https://risky.biz/RB743/.
Freund, Andres. 2024b. Backdoor in Upstream Xz/Liblzma Leading to Ssh Server Compromise. https://www.openwall.com/lists/oss-security/2024/03/29/4.
Freund, Andres. 2024c. Discovering the XZ Backdoor with Andres Freund. Podcast interview by Bryan Cantrill and Adam Leventhal. Oxide and Friends.
Freund, Andres. 2024d. I Accidentally Found a Security Issue While Benchmarking Postgres Changes. https://mastodon.social/@AndresFreundTec/112180083704606941.
Freund, Andres, and Thomas Roccia. 2024. Behind the Scenes of the XZ Vuln with Andres Freund and Thomas Roccia. Podcast interview by Sherrod DeGrippo, episode 18. Microsoft Threat Intelligence Podcast.
Gates, William H. 1976. “An Open Letter to Hobbyists.” Homebrew Computer Club Newsletter 2 (1): 2. https://commons.wikimedia.org/wiki/File:Bill_Gates_Letter_to_Hobbyists.jpg.
Glyph. 2024. I Really Hope That This Causes an Industry-Wide Reckoning. https://mastodon.social/@glyph/112180922900094371.
Goodin, Dan. 2024. What We Know about the xz Utils Backdoor That Almost Infected the World. https://arstechnica.com/security/2024/04/what-we-know-about-the-xz-utils-backdoor-that-almost-infected-the-world/.
Greenberg, Andy. 2019. Sandworm: A New Era of Cyberwar and the Hunt for the Kremlin’s Most Dangerous Hackers. Doubleday.
Greenberg, Andy. 2022. Tracers in the Dark: The Global Hunt for the Crime Lords of Cryptocurrency. Doubleday.
Haruyama, Takahiro. 2025. Docker Hub Debian Image Contains CVE-2024-3094 Backdoor. Issue \#246 in debuerreotype/docker-debian-artifacts. GitHub. https://github.com/debuerreotype/docker-debian-artifacts/issues/246.
Hess, Joey. 2024. revert to version that does not contain changes by bad actor.” Bug report 1068024, package xz-utils. Debian Bug Tracking System, March 29. https://bugs.debian.org/1068024.
Hoffmann, Manuel, Frank Nagle, and Yanuo Zhou. 2024. The Value of Open Source Software. Working Paper Nos. 24-038. Harvard Business School Strategy Unit. https://doi.org/10.2139/ssrn.4693148.
James, Sam. 2024a. =app-arch/xz-utils-5.6.0, =app-arch/xz-utils-5.6.1: backdoor in release tarballs.” Bug report 928134, Gentoo Security. Gentoo Bugzilla, March 29. https://bugs.gentoo.org/928134.
James, Sam. 2024b. FAQ on the Xz-Utils Backdoor (CVE-2024-3094). https://gist.github.com/thesamesam/223949d5a074ebc3dce9ee78baad9e27.
Jansen, Hans. 2024. xz-utils: New upstream version available. Bug report 1067708, package xz-utils. Debian Bug Tracking System. https://bugs.debian.org/1067708.
JiaT75. 2021. Added Error Text to Warning When Untaring with bsdtar. Pull request 1609, libarchive/libarchive. GitHub. https://github.com/libarchive/libarchive/pull/1609.
Kali Linux. 2024. All about the xz-utils Backdoor. https://www.kali.org/blog/about-the-xz-backdoor/.
Kalu, Kelechi G., Tanmay Singla, Chinenye Okafor, Santiago Torres-Arias, and James C. Davis. 2025. “An Industry Interview Study of Software Signing for Supply Chain Security.” 34th USENIX Security Symposium (USENIX Security 25) (Seattle, WA), August, 81–100. https://www.usenix.org/conference/usenixsecurity25/presentation/kalu.
Kaspersky GReAT. 2024a. Assessing the Y, and How, of the XZ Utils Incident. https://securelist.com/xz-backdoor-story-part-2-social-engineering/112476/.
Kaspersky GReAT. 2024b. XZ Backdoor Story: Initial Analysis. https://securelist.com/xz-backdoor-story-part-1/112354/.
Keefe, Patrick Radden. 2021. Empire of Pain: The Secret History of the Sackler Dynasty. Doubleday.
Knuth, Donald E. 1974. “Computer Programming as an Art.” Communications of the ACM 17 (12): 667–73. https://doi.org/10.1145/361604.361612.
Krebs, Brian. 2024. Some Thoughts about Attribution in the XZ Backdoor. https://infosec.exchange/@briankrebs/112197305365490518.
Lakhani, Karim R., and Robert G. Wolf. 2005. “Why Hackers Do What They Do: Understanding Motivation and Effort in Free/Open Source Software Projects.” In Perspectives on Free and Open Source Software, edited by Joseph Feller, Brian Fitzgerald, Scott A. Hissam, and Karim R. Lakhani. MIT Press.
Leite, Anderson. 2024. XZ Backdoor: Hook Analysis. https://securelist.com/xz-backdoor-part-3-hooking-ssh/113007/.
Lerner, Josh, and Jean Tirole. 2005. “Economic Perspectives on Open Source.” In Perspectives on Free and Open Source Software, edited by Joseph Feller, Brian Fitzgerald, Scott A. Hissam, and Karim R. Lakhani. MIT Press.
Linux Foundation. 2020. 2020 Linux Kernel History Report. Linux Foundation. https://www.linuxfoundation.org/resources/publications/linux-kernel-history-report-2020.
Linux Foundation. 2026. https://www.linuxfoundation.org/press/linux-foundation-announces-12.5-million-in-grant-funding-from-leading-organizations-to-advance-open-source-security.
Maffulli, Stefano. 2023. Meta’s LLaMa License Is Not Open Source. Open Source Initiative. https://opensource.org/blog/metas-llama-2-license-is-not-open-source.
Mandiant. 2022. Assembling the Russian Nesting Doll: UNC2452 Merged into APT29. https://cloud.google.com/blog/topics/threat-intelligence/unc2452-merged-into-apt29/.
Mastery Learning. 2024. Linus Torvalds: XZ Utils Breach Raises Questions about Trust in Open Source Development. https://www.youtube.com/watch?v=vtce4vmZIC8.
Mazurov, Nikita. 2024. The Other Players Who Helped (Almost) Make the World’s Biggest Backdoor Hack. The Intercept. https://theintercept.com/2024/04/03/linux-hack-xz-utils-backdoor/.
Meiklejohn, Sarah, Marjori Pomarole, Grant Jordan, et al. 2013. “A Fistful of Bitcoins: Characterizing Payments Among Men with No Names.” Proceedings of the 2013 Conference on Internet Measurement Conference (IMC ’13) (New York), October 23, 127–39. https://doi.org/10.1145/2504730.2504747.
Meissner, Marcus. 2024. openSUSE Addresses Supply Chain Attack Against xz Compression Library. openSUSE. https://news.opensuse.org/2024/03/29/xz-backdoor/.
Meta. 2024a. Llama 3.1 Acceptable Use Policy. https://www.llama.com/llama3_1/use-policy.
Meta. 2024b. Llama 3.1 Community License Agreement. https://github.com/meta-llama/llama-models/blob/main/models/llama3_1/LICENSE.
Moody, Glyn. 2001. Rebel Code: Linux and the Open Source Revolution. Perseus.
Munroe, Randall. 2020. “Dependency.” August 17. https://xkcd.com/2347/.
Nagle, Frank, David A. Wheeler, Hila Lifshitz-Assaf, Haylee Ham, and Jennifer L. Hoffman. 2020. Report on the 2020 FOSS Contributor Survey. The Linux Foundation; Laboratory for Innovation Science at Harvard. https://www.linuxfoundation.org/wp-content/uploads/2020FOSSContributorSurveyReport_121020.pdf.
Nagle, Frank, Jessica Wilkerson, James Dana, and Jennifer L. Hoffman. 2020. Vulnerabilities in the Core: Preliminary Report and Census II of Open Source Software. The Linux Foundation; The Laboratory for Innovation Science at Harvard.
National Institute of Standards and Technology. 2022. Secure Software Development Framework (SSDF) Version 1.1: Recommendations for Mitigating the Risk of Software Vulnerabilities (NIST SP 800-218). U.S. Department of Commerce. https://doi.org/10.6028/NIST.SP.800-218.
National Telecommunications and Information Administration. 2021. The Minimum Elements for a Software Bill of Materials (SBOM). U.S. Department of Commerce. https://www.ntia.gov/report/2021/minimum-elements-software-bill-materials-sbom.
O’Mahony, Siobhán. 2005. “Nonprofit Foundations and Their Role in Community-Firm Software Collaboration.” In Perspectives on Free and Open Source Software, edited by Joseph Feller, Brian Fitzgerald, Scott A. Hissam, and Karim R. Lakhani. MIT Press.
Office of Management and Budget. 2022. Enhancing the Security of the Software Supply Chain Through Secure Software Development Practices. https://bidenwhitehouse.archives.gov/wp-content/uploads/2022/09/M-22-18.pdf.
Office of Management and Budget. 2026. Adopting a Risk-Based Approach to Software and Hardware Security. https://www.whitehouse.gov/wp-content/uploads/2026/01/M-26-05-Adopting-a-Risk-based-Approach-to-Software-and-Hardware-Security.pdf.
Ohm, Marc, Henrik Plate, Arnold Sykosch, and Michael Meier. 2020. “Backstabber’s Knife Collection: A Review of Open Source Software Supply Chain Attacks.” arXiv Preprint arXiv:2005.09535, May 19. https://arxiv.org/abs/2005.09535.
Open Source Initiative. 2007. The Open Source Definition. https://opensource.org/osd.
OpenSSH. 2024. OpenSSH 9.8/9.8p1 Release Notes. https://www.openssh.com/txt/release-9.8.
OpenSSL. n.d. RSA_private_encrypt, RSA_public_decrypt.” Accessed June 1, 2026. https://docs.openssl.org/master/man3/RSA_private_encrypt/.
Osborne, Cailean, Paul Sharratt, Dawn Foster, and Mirko Boehm. 2024. “A Toolkit for Measuring the Impacts of Public Funding on Open Source Software Development.” arXiv Preprint arXiv:2411.06027, November 9. https://arxiv.org/abs/2411.06027.
Ostrom, Elinor. 1990. Governing the Commons: The Evolution of Institutions for Collective Action. Cambridge University Press.
Perlroth, Nicole. 2021. This Is How They Tell Me the World Ends: The Cyberweapons Arms Race. Bloomsbury.
Ponta, Serena Elisa, Henrik Plate, and Antonino Sabetta. 2020. “Detection, Assessment and Mitigation of Vulnerabilities in Open Source Dependencies.” Empirical Software Engineering 25 (5): 3175–215. https://doi.org/10.1007/s10664-020-09830-x.
PostgreSQL Core Team. 2020. New PostgreSQL Core Team Members. https://www.postgresql.org/about/news/new-postgresql-core-team-members-2103/.
Przymus, Piotr, and Thomas Durieux. 2025. “Wolves in the Repository: A Software Engineering Analysis of the XZ Utils Supply Chain Attack.” 22nd IEEE/ACM International Conference on Mining Software Repositories, MSR@ICSE 2025, Ottawa, ON, Canada, April 28-29, 2025, April 28, 91–102. https://doi.org/10.1109/MSR66628.2025.00026.
Raymond, Eric S. 2001. The Cathedral and the Bazaar: Musings on Linux and Open Source by an Accidental Revolutionary. Revised. O’Reilly.
Red Hat. 2024. Urgent Security Alert for Fedora Linux 40 and Fedora Rawhide Users. https://www.redhat.com/en/blog/urgent-security-alert-fedora-40-and-rawhide-users.
Rid, Thomas. 2020. Active Measures: The Secret History of Disinformation and Political Warfare. Farrar, Straus; Giroux.
Roccia, Thomas. 2024. The XZ Backdoor Story: The Undercover Operation That Set the Internet on Fire. Conference talk. DEF CON 32. https://www.youtube.com/watch?v=hwuIb-Vv2Ew.
Roncone, Gabby, Dan Black, John Wolfram, et al. 2024. APT44: Unearthing Sandworm. Mandiant / Google Cloud Threat Intelligence. https://services.google.com/fh/files/misc/apt44-unearthing-sandworm.pdf.
Schorlemmer, Taylor R., Kelechi G. Kalu, Luke Chigges, et al. 2024. “Signing in Four Public Software Package Registries: Quantity, Quality, and Influencing Factors.” 2024 IEEE Symposium on Security and Privacy (SP), May, 1160–78. https://doi.org/10.1109/SP54263.2024.00215.
Star, Susan Leigh. 1999. “The Ethnography of Infrastructure.” American Behavioral Scientist 43 (3): 377–91. https://doi.org/10.1177/00027649921955326.
Stoll, Clifford. 1989. The Cuckoo’s Egg: Tracking a Spy Through the Maze of Computer Espionage. Doubleday.
Tidelift. 2023. The 2023 Tidelift State of the Open Source Maintainer Report. Tidelift. https://tidelift.com/open-source-maintainer-survey-2023.
Torvalds, Linus. 1991. What Would You Like to See Most in Minix? https://groups.google.com/g/comp.os.minix/c/dlNtH7RRrGA.
Torvalds, Linus, and David Diamond. 2001. Just for Fun: The Story of an Accidental Revolutionary. HarperBusiness.
Tukaani Project. 2010. XZ Utils AUTHORS. Source file at tag v5.0.0. https://github.com/tukaani-project/xz/blob/v5.0.0/AUTHORS.
Tukaani Project. n.d.-a. LZMA Utils.” Accessed June 7, 2026. https://tukaani.org/lzma/.
Tukaani Project. n.d.-b. LZMA Utils AUTHORS. Accessed June 7, 2026. https://git.tukaani.org/?p=lzma.git;a=blob_plain;f=AUTHORS;hb=HEAD.
Tukaani Project. n.d.-c. LZMA Utils README. Accessed June 7, 2026. https://git.tukaani.org/?p=lzma.git;a=blob_plain;f=README;hb=HEAD.
Tukaani Project. n.d.-d. XZ Utils.” Accessed June 7, 2026. https://tukaani.org/xz/.
Valsorda, Filippo. 2024. Preliminary Analysis of the XZ Utils Backdoor Payload. https://bsky.app/profile/filippo.abyssdomain.expert/post/3kowjkx2njy2b.
Weems, Anthony. 2024. Xzbot: Notes, Honeypot, and Exploit Demo for the Xz Backdoor (CVE-2024-3094). https://github.com/amlweems/xzbot.
Williams, Sam. 2010. Free as in Freedom (2.0): Richard Stallman and the Free Software Revolution. 2nd ed. Free Software Foundation. https://static.fsf.org/nosvn/faif-2.0.pdf.
xz-devel mailing list. 2022. Pressure-Campaign Correspondence on the Xz-Devel Mailing List. https://www.mail-archive.com/xz-devel@tukaani.org/.
Zalewski, Michał. 2024. Techies Vs Spies: The xz Backdoor Debate. https://lcamtuf.substack.com/p/technologist-vs-spy-the-xz-backdoor.
Zemczak, Łukasz. 2024. Noble Numbat Beta Delayed (xz/liblzma Security Update). Ubuntu Community Hub. https://discourse.ubuntu.com/t/noble-numbat-beta-delayed-xz-liblzma-security-update/43827.
Zetter, Kim. 2014. Countdown to Zero Day: Stuxnet and the Launch of the World’s First Digital Weapon. Crown.
Zittrain, Jonathan L. 2008. The Future of the Internet — and How to Stop It. Yale University Press.