Supply Chain and Open Source
From the XZ backdoor to slopsquatting
What this episode is about
Two stories, one common denominator. The first is a detective story with two years of lead-up — the XZ Utils backdoor from 2024. The second is an AI phenomenon that wouldn’t exist without frontier models — slopsquatting. Both show the same fundamental vulnerability: trust in open source was an implicit hypothesis — it is broken and must be replaced by explicit mechanisms.
XZ Utils — anatomy of a two-year sock puppet
XZ Utils is a compression library written by the Finnish developer Lasse Collin, linked by OpenSSH and therefore on practically every Linux server in the world. Robert summarizes the anatomy. In January 2021, someone with the pseudonym Jia Tan creates a GitHub account. First commits are small and legitimate — trust building. In spring 2022, first real contributions to the XZ project. In parallel, additional accounts appear — Jigar Kumar, Dennis Ens — pressuring Collin in discussions: he is too slow, the project needs a new maintainer. In January 2023, Jia Tan gets maintainer rights. Then the actual operation begins. July 2023: Jia Tan submits a pull request to Google’s OSS-Fuzz that effectively disables fuzzing for XZ — presumably so the planned backdoor isn’t discovered. February 2024: the backdoor itself lands hidden in two test files. Versions 5.6.0 and 5.6.1 are picked up by Debian, Gentoo, Arch, Fedora, openSUSE.
Chris explains the backdoor technique. It uses glibc’s ifunc mechanism — a function that selects different implementations at runtime depending on CPU. The backdoor hooks into RSA public-key decoding and enables authentication bypass on SSH logins, active only when a specific crypto key from the attacker is sent. Backdoor-as-a-service in open source.
On March 29, 2024, Andres Freund, PostgreSQL developer at Microsoft, discovers the anomaly. His SSH login to a test machine takes half a second too long. He profiles with Valgrind, perf, slow detective work — and finds the backdoor. Report on the oss-security mailing list, CVE-2024-3094, CVSS 10.0, the highest possible rating. Distributions pull the infected versions within hours. The backdoor was not exploited in production as far as we know. It came close. Anyone running Debian unstable or Fedora Rawhide — typical development environments — may have had it installed.
Slopsquatting — AI hallucinations as supply chain
The term comes from Seth Larson, Python security expert. Chris explains the pattern. In classic typosquatting, an attacker registers package names with typos — “numpy” becomes “numpyy”. In slopsquatting, an LLM hallucinates a package while generating code that doesn’t actually exist. The attacker registers exactly this name — and the next time a developer adopts the LLM suggestion, their code becomes an attack vector. Joseph Spracklin and colleagues quantified this at USENIX Security 2025: 576,000 code samples generated with various LLMs, around 20 percent of the suggested package names don’t exist. With GPT-4 class models the rate is 5 percent, with open-source models like CodeLlama, DeepSeek, WizardCoder higher. 43 percent of these hallucinated names recur consistently across multiple prompts — they are therefore predictably registrable.
Robert names the documented real-world case: Snyk researchers found a fake huggingface-cli package downloaded over 30,000 times in three months. Hugging Face is the leading platform for ML models, the CLI sounds absolutely plausible. The real package is named differently — the fake one contained an infostealer. Classical mitigation via Levenshtein distance filter doesn’t work here because the name isn’t similar, it’s new. Approaches discussed in 2026 standardization: waiting time when new packages are registered, reverse linking against maintainer trust.
Regulatory response
Since April 1, 2025, operators of critical infrastructure in Switzerland must report cyberattacks to BACS within 24 hours — a fundamental shift from previous voluntariness. At EU level the NIS2 Directive applies in parallel, transposition deadline October 17, 2024. The Cyber Resilience Act (EU 2024/2847) obligates manufacturers of products with digital elements to maintain Software Bill of Materials, vulnerability-disclosure policies, stepwise application until 2027. Lukas says from the research view: SBOMs help with known vulnerabilities, not with zero-days, and certainly not with an XZ scenario in which the maintainer is malicious. Cryptographic source-attestation methods are being discussed — Sigstore, Cosign — signing not only bytes but identity and build provenance.
What you take away from this episode
The supply chain is the strategic battlefield in 2026. SBOMs are mandatory, reporting is mandatory. Both are necessary, not sufficient. Anyone using AI coding assistants productively needs a package-verification layer in the build system — for Python: check against PyPI, verify maintainer profile and release history before installing a package from an LLM suggestion. The open research question: maintainer verification and identity trust in open communities — no established answer in 2026.
Sources and references
- Freund, A. (2024, March 29). Backdoor in upstream xz/liblzma leading to ssh server compromise [Mailing list message]. oss-security at openwall.com. https://www.openwall.com/lists/oss-security/2024/03/29/4
- Hunted Labs. (2024). Where the wild things are: A complete analysis of Jia Tan's GitHub history and the XZ Utils software supply chain breach. https://www.huntedlabs.com/blog/where-the-wild-things-are-a-complete-analysis-of-jia-tans-github-history-and-the-xz-utils-software-supply-chain-breach
- Wikipedia contributors. (n.d.). XZ Utils backdoor. Wikipedia. https://en.wikipedia.org/wiki/XZ_Utils_backdoor
- Spracklin, J., Madireddy, R., Pasarath, P., & Tsipenyuk, K. (2025). We have a package for you! A comprehensive analysis of package hallucinations by code-generating LLMs. USENIX Security 2025. https://www.usenix.org/conference/usenixsecurity25
- Snyk. (2024). Slopsquatting: New AI hallucination threats and mitigation strategies. Snyk Articles. https://snyk.io/articles/slopsquatting-mitigation-strategies/
- BleepingComputer. (2025). AI-hallucinated code dependencies become new supply chain risk. https://www.bleepingcomputer.com/news/security/ai-hallucinated-code-dependencies-become-new-supply-chain-risk/
- Bundesamt für Cybersicherheit BACS. (2025, April 1). Reporting cyberattacks on critical infrastructure mandatory from 1 April 2025. Schweizerische Eidgenossenschaft. https://www.ncsc.admin.ch/ncsc/en/home/aktuell/im-fokus/2025/meldepflicht-2025.html
- OST – Ostschweizer Fachhochschule. (2026). CAS AI-Driven Cybersecurity and Strategic Defence [Programmseite, 15 ECTS, 14 Präsenztage, Campus Rapperswil-Jona]. https://www.ost.ch/de/weiterbildung/weiterbildungsangebot/informatik/cybersecurity-networks/cas-ai-driven-cybersecurity-and-strategic-defence