In March 2024, the digital world narrowly escaped what security experts now call one of the most sophisticated and potentially devastating cyberattacks in modern computing history.

The threat wasn't announced with blaring alarms or dramatic headlines. Instead, it emerged as a quiet anomaly, an unexplained performance hiccup that most would have dismissed, but one curious engineer chose to investigate.

Had this backdoor remained undetected, millions of Linux computers worldwide — from cloud servers powering Fortune 500 companies to critical infrastructure systems and hospitals — could have been silently compromised, creating an unprecedented security disaster.

But they weren't, thanks to one man's relentless curiosity.

The Discovery: When something doesn't feel right

Imagine finding a nearly invisible thread in a tapestry that, when pulled, could unravel the entire fabric. That's essentially what happened when Andres Freund, a PostgreSQL developer and Microsoft engineer, noticed something peculiar while coding away right before a flight state-side.

Freund wasn't looking for security threats. He was troubleshooting a performance issue on a testing version of Debian Linux called Debian Sid1. What caught his attention were strange symptoms that seemed unrelated to his original task; SSH connections (the secure protocol used to remotely access computers) were consuming unusual amounts of CPU power and triggering errors in memory debugging tools.

"The backdoor was uncovered when Freund, investigating a performance regression in Debian Sid, noticed anomalies in SSH connections," explains a security analysis from Pionect.2

Most developers might have shrugged these issues off as unrelated glitches. Freund didn't. Instead, he followed the breadcrumbs deep into the system.

Those breadcrumbs led to XZ Utils, a fundamental compression library that helps Linux systems manage files by compressing and decompressing data (similar to how you might zip or unzip files on your computer). It's like the hidden plumbing within the walls of a house, essential but rarely noticed until something goes wrong.

The right person at the perfect moment

Andres Freund wasn't just any developer who happened to notice an anomaly. His background made him uniquely qualified to recognise and understand the significance of what he was seeing.

As a long-time contributor to PostgreSQL, one of the world's most sophisticated open-source database systems, Freund had developed an intuitive sense for how complex software systems should behave. His work at Microsoft further honed his abilities to spot inconsistencies in high-performance computing environments.

Freund represents a special breed of engineer, one who combines deep technical expertise with relentless curiosity. He didn't just identify that something was wrong; he pursued the mystery through layers of code and system architecture until he uncovered the truth.

This combination of expertise and investigative instinct proved invaluable. When Freund realised what he had discovered, he immediately reported the finding to the Openwall Project's open-source security mailing list on March 29, 2024, triggering rapid response from security teams worldwide.

Inside the Trojan Horse: A masterclass in deception

The backdoor Freund discovered wasn't a crude hack. It was digital artistry, malicious, yes, but implemented with extraordinary technical sophistication and patience.

Hidden within versions 5.6.0 and 5.6.13 of XZ Utils, the backdoor was designed to exploit a chain of software dependencies. In simple terms, it used the fact that when one piece of software (OpenSSH) relies on another (systemd), which relies on another (XZ Utils), there's an opportunity to create a hidden pathway between them.

The backdoor leveraged a feature called GNU IFUNC (Indirect Function), a mechanism designed to optimise performance that instead became the perfect vector for attack. As one GitHub analysis bluntly stated4:

"IFUNC is probably a bad idea [because it] undermines one of the most basic assumptions of programming: that the mere act of loading a library will not inherently change your program."

The malicious code was assigned a CVSS score of 10.0, the highest possible severity rating for a vulnerability. It would have allowed an attacker with a specific private key to bypass SSH authentication entirely, gaining administrator-level access to compromised systems.

What makes this attack particularly chilling is that the code wasn't hidden in the open-source repository where developers could review it. Instead, it was inserted only into the packaged versions (tarballs) that Linux distributions use during their build processes, a brilliant sleight of hand that kept the malicious code relatively hidden while ensuring it would be incorporated into production systems.5

The Mastermind: A ghost in the machine

The most unsettling aspect of this attack wasn't the code itself, but the methodical social engineering behind it.

For approximately three years, someone using the name "Jia Tan" and the handle "JiaT75" had patiently worked to infiltrate the XZ Utils project. This marathon of deception proved a rare and potent counter to the common smash-and-grab tactics of typical cybercriminals.

As Akamai's analysis describes:

"Almost two years ago, a developer under the name of Jia Tan joined the project and started opening pull requests for various bug fixes or improvements... Eventually, after building trust and credibility, Jia Tan began to receive permissions for the repository - first, commit permissions and, eventually, release manager rights."

This patient approach, contributing legitimate improvements to gain trust before introducing malicious code, bears all the hallmarks of a sophisticated state-sponsored attack. The identity of "Jia Tan" remains unknown, but security experts widely believe this operation required resources and patience beyond typical cybercriminals.

Catastrophe Averted: The world that almost was

Had Freund not discovered this backdoor when he did, the consequences would have been staggering.

At the time of discovery, the compromised versions had not yet made their way into stable releases of major Linux distributions, but they were present in development versions of several major systems. They were, in effect, ticking time bombs waiting to be deployed worldwide.

The response to Freund's discovery was swift:

• The Cybersecurity and Infrastructure Security Agency issued urgent advisories.

• Linux vendors immediately rolled back to uncompromised versions.

• Canonical postponed the launch of Ubuntu 24.04 LTS to ensure thorough security review.

• XZ Utils released version 5.6.2 in May 2024 to remove the vulnerability entirely.

Without Freund's intervention, millions of servers worldwide could have been silently compromised, creating what one analyst called…

Beyond the Code: The human factor in security

Freund's discovery highlights something crucial about cybersecurity that often gets overlooked in discussions of firewalls and encryption: human curiosity remains our most powerful defence.

No automated scanning tool flagged this backdoor. No security checklist identified it. It was found because one person noticed something didn't feel quite right and refused to ignore that feeling.

This case study offers a powerful lesson for organisational leaders: empower your curious minds. Give them time to explore anomalies. Create cultures where questioning the status quo is valued rather than dismissed.

As systems become increasingly complex, with deeper dependency chains and more interconnected components, this kind of vigilance becomes more critical, not less. It's especially important in open-source ecosystems, where the collaborative nature of development can be both a tremendous strength and a potential vulnerability.

The open road ahead

The XZ Utils incident serves as both a warning and a reminder. As we increasingly build our digital future on open-source foundations (including emerging AI infrastructures) we must recognise both the tremendous benefits and inherent risks of collaborative development.

The security community has responded to this incident with renewed focus on supply chain security, contributor verification, and dependency monitoring. But technical solutions alone aren't enough. We need more Andres Freunds: more curious, persistent problem-solvers willing to pull on threads that don't quite make sense.

As we look toward a future where software becomes increasingly foundational to our society, the lesson is clear: our security depends not just on code, but on the people who write it, review it, and — crucially — question it.

In a world of increasing digital complexity, curiosity may be our most important firewall.

All links have been reviewed and classed as safe by our team as of May 22, 2025.