{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,3,17]],"date-time":"2026-03-17T19:26:10Z","timestamp":1773775570357,"version":"3.50.1"},"reference-count":35,"publisher":"Association for Computing Machinery (ACM)","issue":"1","license":[{"start":{"date-parts":[[2025,2,28]],"date-time":"2025-02-28T00:00:00Z","timestamp":1740700800000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0\/"}],"content-domain":{"domain":["dl.acm.org"],"crossmark-restriction":true},"short-container-title":["Queue"],"published-print":{"date-parts":[[2025,2,28]]},"abstract":"<jats:p>The xz attack seems to be the first major attack on the open source software supply chain. The event-stream attack was similar but not major, and Heartbleed and Log4j were vulnerabilities, not attacks. But the xz attack was discovered essentially by accident because it made sshd just a bit too slow at startup. Attacks, by their nature, try to remain hidden. What are the chances we would accidentally discover the very first major attack on the open source software supply chain in just a few weeks? Perhaps we were extremely lucky, or perhaps we have missed others.<\/jats:p>","DOI":"10.1145\/3722542","type":"journal-article","created":{"date-parts":[[2025,4,1]],"date-time":"2025-04-01T16:20:02Z","timestamp":1743524402000},"page":"84-107","update-policy":"https:\/\/doi.org\/10.1145\/crossmark-policy","source":"Crossref","is-referenced-by-count":5,"title":["Fifty Years of Open Source Software Supply Chain Security"],"prefix":"10.1145","volume":"23","author":[{"given":"Russ","family":"Cox","sequence":"first","affiliation":[{"name":"Google"}]}],"member":"320","published-online":{"date-parts":[[2025,4]]},"reference":[{"key":"e_1_2_1_1_1","unstructured":"Appelbaum J. et al. 2013. Documents reveal top NSA hacking unit. Spiegel International; https:\/\/www.spiegel.de\/international\/world\/the-nsa-uses-powerful-toolbox-in-effort-to-spy-on-global-networks-a-940969.html."},{"key":"e_1_2_1_2_1","unstructured":"Bals F. 2024. 2024 open source security and risk analysis report. Blackduck blog; https:\/\/www.blackduck.com\/blog\/open source-trends-ossra-report.html."},{"key":"e_1_2_1_3_1","unstructured":"Beaumont K. 2024. Inside the failed attempt to backdoor SSH globally ? that got caught by chance. DoublePulsar; https:\/\/doublepulsar.com\/inside-the-failed-attempt-to-backdoor-ssh-globally-that-got-caught-by-chance-bbfe628fafdd."},{"key":"e_1_2_1_4_1","volume-title":"Google Project Zero blog","author":"Beer I.","year":"2021","unstructured":"Beer, I., Gro\u00df, S. 2021. A deep dive into an NSO zero-click iMessage exploit: Remote Code Execution, Google Project Zero blog; https:\/\/googleprojectzero.blogspot.com\/2021\/12\/a-deep-dive-into-nso-zero-click.html."},{"key":"e_1_2_1_5_1","doi-asserted-by":"crossref","unstructured":"Bentley J. 1985. Programming pearls. Communications of the ACM 28(9) 896?901; https:\/\/dl.acm.org\/doi\/10.1145\/4284.315122.","DOI":"10.1145\/4284.315122"},{"key":"e_1_2_1_6_1","volume-title":"D. Naccache, J.-J. Quisquater, 256?281","author":"Bernstein D. J.","year":"2015","unstructured":"Bernstein, D. J., Lange, T., Niderhagen, R. 2015. Dual EC: a standardized back door. LNCS Essays on the New Codebreakers 9100, ed. P. Y. A. Ryan, D. Naccache, J.-J. Quisquater, 256?281; https:\/\/eprint.iacr.org\/2015\/767."},{"key":"e_1_2_1_7_1","volume-title":"OpenSSF blog","author":"Chang O.","year":"2023","unstructured":"Chang, O., Catlin, K. 2023. Getting to know the Open Source Vulnerability (OSV) format, OpenSSF blog; https:\/\/openssf.org\/blog\/2023\/05\/02\/getting-to-know-the-open source-vulnerability-osv-format\/."},{"key":"e_1_2_1_8_1","doi-asserted-by":"crossref","unstructured":"Checkoway S. et al. 2018. Where did I leave my keys?: lessons from the Juniper Dual EC incident. Communications of the ACM 61(11) 148?155; https:\/\/dl.acm.org\/doi\/10.1145\/3266291.","DOI":"10.1145\/3266291"},{"key":"e_1_2_1_9_1","unstructured":"Cox R. 2023. C and C++ prioritize performance over correctness. research!rsc blog post; https:\/\/research.swtch.com\/ub."},{"key":"e_1_2_1_10_1","unstructured":"Cox R. 2023. Perfectly reproducible verified Go toolchains. The Go Blog; https:\/\/go.dev\/blog\/rebuild."},{"key":"e_1_2_1_11_1","unstructured":"Cox R. 2023. Running the \"Reflections on Trusting Trust\" compiler. research!rsc blog post; https:\/\/research.swtch.com\/nih."},{"key":"e_1_2_1_12_1","doi-asserted-by":"crossref","unstructured":"Cox R. 2019. Surviving software dependencies. Communications of the ACM 62(9) 36?43; https:\/\/dl.acm.org\/doi\/10.1145\/3347446.","DOI":"10.1145\/3347446"},{"key":"e_1_2_1_13_1","unstructured":"Cox R. 2024. Timeline of the xz open source attack. research!rsc blog post. https:\/\/research.swtch.com\/xz-timeline."},{"key":"e_1_2_1_14_1","unstructured":"Cox R. 2024. The xz attack shell script. research!rsc blog post; https:\/\/research.swtch.com\/xz-script."},{"key":"e_1_2_1_15_1","doi-asserted-by":"crossref","unstructured":"Cox R. Griesemer R. Pike R. Taylor I. L. Thompson K. 2022. The Go programming language and environment. Communications of the ACM 65(5) 70?78; https:\/\/dl.acm.org\/doi\/10.1145\/3488716.","DOI":"10.1145\/3488716"},{"key":"e_1_2_1_16_1","unstructured":"Cox R. Valsorda F. 2019. Proposal: secure the public Go module ecosystem. Go design document; https:\/\/go.dev\/design\/25530-sumdb."},{"key":"e_1_2_1_17_1","volume-title":"CFPB, and states related to 2017 data breach","author":"Federal Trade Commission","year":"2019","unstructured":"Federal Trade Commission. 2019. Equifax to pay $575 million as part of settlement with FTC, CFPB, and states related to 2017 data breach. FTC press release; https:\/\/www.ftc.gov\/news-events\/news\/press-releases\/2019\/07\/equifax-pay-575-million-part-settlement-ftc-cfpb-states-related-2017-data-breach."},{"key":"e_1_2_1_18_1","volume-title":"FTC warns companies to remediate Log4j security vulnerability. FTC Office of Technology blog","author":"Federal Trade Commission","year":"2022","unstructured":"Federal Trade Commission. 2022. FTC warns companies to remediate Log4j security vulnerability. FTC Office of Technology blog; https:\/\/www.ftc.gov\/policy\/advocacy-research\/tech-at-ftc\/2022\/01\/ftc-warns-companies-remediate-log4j-security-vulnerability."},{"key":"e_1_2_1_19_1","volume-title":"Openwall","author":"Freund A.","year":"2024","unstructured":"Freund, A., 2024. Backdoor in upstream xz\/liblzma leading to ssh server compromise. oss-security mailing list, Openwall; https:\/\/www.openwall.com\/lists\/oss-security\/2024\/03\/29\/4."},{"key":"e_1_2_1_20_1","volume-title":"XZ Utils cyberattack likely not an isolated incident. OpenSSF blog","author":"Ginn R. B.","year":"2024","unstructured":"Ginn, R. B., Arasaratnam, O. 2024. XZ Utils cyberattack likely not an isolated incident. OpenSSF blog; https:\/\/openssf.org\/blog\/2024\/04\/15\/open source-security-openssf-and-openjs-foundations-issue-alert-for-social-engineering-takeovers-of-open source-projects\/."},{"key":"e_1_2_1_21_1","volume-title":"Widely used open source software contained bitcoin-stealing backdoor. Ars Technica","author":"Goodin D.","year":"2018","unstructured":"Goodin, D., 2018. Widely used open source software contained bitcoin-stealing backdoor. Ars Technica; https:\/\/arstechnica.com\/information-technology\/2018\/11\/hacker-backdoors-widely-used-open source-software-to-steal-bitcoin\/."},{"key":"e_1_2_1_22_1","unstructured":"Greenberg A. Burgess M. 2024. The Mystery of \"Jia Tan \" the XZ backdoor mastermind. Wired; https:\/\/www.wired.com\/story\/jia-tan-xz-backdoor\/."},{"key":"e_1_2_1_23_1","volume-title":"Multics security evaluation: vulnerability analysis. U.S. Air Force Electronic Systems Division report ESD-TR-74-193","author":"Karger P. A.","unstructured":"Karger, P. A., Schell, R. R. 1974. Multics security evaluation: vulnerability analysis. U.S. Air Force Electronic Systems Division report ESD-TR-74-193, Vol. II; https:\/\/seclab.cs.ucdavis.edu\/projects\/history\/papers\/karg74.pdf."},{"key":"e_1_2_1_24_1","unstructured":"Kesteloot L. 2009. Coding Machines; https:\/\/www.teamten.com\/lawrence\/writings\/coding-machines\/."},{"key":"e_1_2_1_25_1","unstructured":"Munroe R. 2020. xkcd: Dependency. Webcomic; https:\/\/xkcd.com\/2347\/."},{"key":"e_1_2_1_26_1","volume-title":"Software memory safety. NSA Cybersecurity Information Sheet version 1.1 (updated","author":"National Security Agency. 2022.","year":"2023","unstructured":"National Security Agency. 2022. Software memory safety. NSA Cybersecurity Information Sheet version 1.1 (updated April 2023); https:\/\/media.defense.gov\/2022\/Nov\/10\/2003112742\/-1\/-1\/0\/CSI_SOFTWARE_MEMORY_SAFETY.PDF."},{"key":"e_1_2_1_27_1","unstructured":"Open Source Insights website; https:\/\/deps.dev\/."},{"key":"e_1_2_1_28_1","unstructured":"Open Source Security Foundation website; https:\/\/openssf.org\/about\/."},{"key":"e_1_2_1_29_1","unstructured":"OSV website. A distributed vulnerability database for Open Source; https:\/\/osv.dev\/."},{"key":"e_1_2_1_30_1","volume-title":"Announcing OSV-Scanner: vulnerability scanner for open source. Google Security blog","author":"Pan R.","year":"2022","unstructured":"Pan, R. 2022. Announcing OSV-Scanner: vulnerability scanner for open source. Google Security blog; https:\/\/security.googleblog.com\/2022\/12\/announcing-osv-scanner-vulnerability.html."},{"key":"e_1_2_1_31_1","unstructured":"Reproducible Builds website; https:\/\/reproducible-builds.org\/."},{"key":"e_1_2_1_32_1","doi-asserted-by":"crossref","unstructured":"Thompson K. 1984. Reflections on trusting trust. Communications of the ACM 27(8) 761?763; https:\/\/dl.acm.org\/doi\/10.1145\/358198.358210.","DOI":"10.1145\/358198.358210"},{"key":"e_1_2_1_33_1","unstructured":"Turton W. Gillum J. Robertson J. 2021. Inside the race to fix a potentially disastrous software flaw. Bloomberg News; https:\/\/finance.yahoo.com\/news\/inside-race-fix-potentially-disastrous-234445533.html."},{"key":"e_1_2_1_34_1","unstructured":"Xiao C. 2015. Novel malware XcodeGhost modifies Xcode infects Apple iOS apps and hits app store. Palo Alto Networks; https:\/\/unit42.paloaltonetworks.com\/novel-malware-xcodeghost-modifies-xcode-infects-apple-ios-apps-and-hits-app-store\/."},{"key":"e_1_2_1_35_1","unstructured":"Zetter K. 2023. The untold story of the boldest supply-chain hack ever. Wired; https:\/\/www.wired.com\/story\/the-untold-story-of-solarwinds-the-boldest-supply-chain-hack-ever\/."}],"container-title":["Queue"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3722542","content-type":"unspecified","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/dl.acm.org\/doi\/pdf\/10.1145\/3722542","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,6,19]],"date-time":"2025-06-19T01:18:40Z","timestamp":1750295920000},"score":1,"resource":{"primary":{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3722542"}},"subtitle":["For decades, software reuse was only a lofty goal. Now it's very real."],"short-title":[],"issued":{"date-parts":[[2025,2,28]]},"references-count":35,"journal-issue":{"issue":"1","published-print":{"date-parts":[[2025,2,28]]}},"alternative-id":["10.1145\/3722542"],"URL":"https:\/\/doi.org\/10.1145\/3722542","relation":{},"ISSN":["1542-7730","1542-7749"],"issn-type":[{"value":"1542-7730","type":"print"},{"value":"1542-7749","type":"electronic"}],"subject":[],"published":{"date-parts":[[2025,2,28]]},"assertion":[{"value":"2025-04-01","order":3,"name":"published","label":"Published","group":{"name":"publication_history","label":"Publication History"}}]}}