The most interesting part of the story is how it got there. xz Utils is open-source software, meaning that its code is public and can be inspected or modified by anyone. In 2022 Lasse Collin, the developer who maintained it, found that his “unpaid hobby project” was becoming more onerous amid long-term mental-health issues. A developer called Jia Tan, who had created an account the previous year, offered to help. For more than two years he, she or they contributed helpful code on hundreds of occasions, building up trust. In February they smuggled in the malware.

The significance of the attack is “huge”, says The Grugq, a pseudonymous independent security researcher who is widely read by cyber-security experts. “The backdoor is very peculiar in how it is implemented, but it is really clever stuff and very stealthy”—perhaps too stealthy, he suggests, because some of the steps taken in the code to hide its true purpose may have slowed it down and thus raised Mr Freund’s alarm. Jia Tan’s patience, supported by several other accounts who urged Mr Collin to pass the baton, hints at a sophisticated human-intelligence operation by a state agency, suggests The Grugq.

He suspects the svr, Russia’s foreign-intelligence service, which in 2019-20 also compromised SolarWinds Orion network-management software to gain extensive access to American government networks. Analysis by Rhea Karty and Simon Henniger, published on their Substack, suggests that Jia Tan made an effort to falsify their time zone but that they were probably two to three hours ahead of Greenwich Mean Time—suggesting they may have been in eastern Europe or western Russia—and avoided working on eastern European holidays. For now, however, the evidence is too weak to nail down a culprit.

The attack is perhaps the most ambitious “supply-chain” attack—one that exploits not a particular computer or device, but a piece of back-end software or hardware—in recent memory. It is also a stark illustration of the frailties of the internet and the crowdsourced code upon which it relies. For defenders of open-source software, Mr Freund’s eagle eyes are a vindication of its premise: code is open, can be inspected by anyone, and errors or deliberate backdoors will eventually be found through collective scrutiny.