Supply chain fragility

Critical fragments of the world’s digital infrastructure rest on a few unpaid volunteers, sometimes burnt out, sometimes infiltrated, sometimes gone. Open does not mean safe; auditable does not mean audited. The cases that follow show that the arithmetic of critical volunteer work regularly catches up with global infrastructure, and that no structural investment has filled this void.

This family also documents, even before the arrival of AI auditing agents, the defensive asymmetry on which thesis 9 of the manifesto rests: open source’s theoretical auditability has never produced actual auditing on the scale of its uses. XZ Utils went unnoticed for two to three years in public code; Heartbleed remained hidden for two years in OpenSSL; Log4Shell lived for four years before disclosure. Family 7 documents the AI amplification of this asymmetry; the present family documents its premise — the transparency of free software ceases to be in itself a defensive achievement if it is not backed by real means of audit.

XZ Utils — A state-level backdoor in a library maintained by a single volunteer#

Date of the main event : discovered 29 March 2024; infiltration attempt over 2-3 years Status : confirmed, attack thwarted in extremis Manifesto theses illustrated : 7, 8, 9, 11

The fact#

On 29 March 2024, Andres Freund, a Microsoft engineer, discovered by chance an extremely sophisticated backdoor in XZ Utils, a compression library maintained for years by a burnt-out volunteer, Lasse Collin. An attacker — operating under the pseudonym Jia Tan, and probably backed by a state actor given the level of patience and sophistication — had spent close to three years gaining the trust of the original maintainer before obtaining commit rights, then introducing a backdoor in versions 5.6.0 and 5.6.1.

The backdoor was designed to activate within sshd, the SSH daemon, and to allow remote code execution triggered by a cryptographic signature known to the attacker. It was specifically designed to be near-undetectable by usual auditing methods.

Reverse-dependency analysis revealed that the XZ library is used by a considerable share of the Linux ecosystem — of the same order of magnitude as glibc, the standard C library. Had the backdoor not been detected in time, it would probably have been the most serious supply chain compromise since SolarWinds, affecting millions of Linux servers worldwide.

Human context#

Lasse Collin, the original maintainer of XZ Utils, had publicly expressed his fatigue and overwork on the project’s mailing lists. Several people — Jia Tan among them — had come to “offer their help” to take over part of the maintenance. It is precisely this human vulnerability that the attacker exploited: the burnout of the sole maintainer became the vector of a sophisticated, potentially state-level attack.

What it demonstrates#

XZ Utils is probably the most important case documented to date for the open source security debate. It concretely proves that:

1. Critical volunteering is a structural vulnerability. A library used by tens of thousands of packages rested on a single burnt-out volunteer, with no institutional support or funding.
2. Theoretical auditability does not guarantee actual auditing. XZ Utils’s code was public from the start. No one was auditing it enough to detect a two-year infiltration. The discovery was due to chance — an SSH slowdown during a PostgreSQL benchmark. This is precisely thesis 9 of the manifesto, in its pre-AI version: the transparency of free software is a defensive achievement only if backed by real means of audit. XZ establishes this finding without any AI agent entering the picture — only the arithmetic of the human eyes available counts, and it does not suffice.
3. Structured public investment is necessary. No mechanism funded Lasse Collin for his critical work. If a tiny fraction of the economic value resting on XZ had been redistributed to its maintenance, the maintainer would not have been burnt out, and the entry point would not have existed.
4. Geopolitical risk is real. The sophistication of the attack suggests a state actor. For a European project using XZ, this means a hostile actor can, by investing patience and time, take control of critical components of the IT system.

Sources#

• Andres Freund (March 2024), initial backdoor disclosure on the oss-security list : https://www.openwall.com/lists/oss-security/2024/03/29/4
• CISA (April 2024), CVE-2024-3094 alert : https://www.cisa.gov/news-events/alerts/2024/03/29/reported-supply-chain-compromise-affecting-xz-utils-data-compression-library-cve-2024-3094
• Springer Nature Link, Unveiling the Critical Attack Path for Implanting Backdoors in Supply Chains: Practical Experience from XZ : https://link.springer.com/chapter/10.1007/978-981-95-4434-9_24
• XZ Utils mailing lists, archives 2021-2024.

IngressNightmare and the retirement of Ingress-NGINX — Volunteering at planetary scale#

Dates : vulnerabilities revealed in March 2025; official project retirement announced 11 November 2025; end of patches in March 2026 Status : confirmed, project at end of life Manifesto theses illustrated : 8, 9, 11, 12

The fact#

In March 2025, the security firm Wiz revealed a series of critical vulnerabilities named IngressNightmare (CVE-2025-1974, CVSS score 9.8 out of 10) in Ingress-NGINX, the most widely used ingress controller for exposing Kubernetes applications to the outside world. According to Wiz, around 43% of cloud environments were vulnerable, and more than 6,500 clusters — including Fortune 500 companies — publicly exposed their vulnerable component, allowing an unauthenticated attacker to take full control of the cluster by reading every stored secret.

The chilling detail is not the vulnerability itself, but what it revealed about the project’s state. Ingress-NGINX, deployed according to Datadog estimates in about 50% of cloud-native environments, used in countless managed platforms and critical infrastructures, was in fact maintained by one to two people, on their free time and unpaid.

On 11 November 2025, the Kubernetes Special Interest Group Network and the Security Response Committee officially announced the retirement of the project: best-effort maintenance will continue until March 2026, after which there will be no new versions, no bug fixes, and no security patches. The justification was plain: the project’s attack surface had become too large for its available human resources, and efforts to recruit additional maintainers had failed. A replacement project named InGate had been launched; it too was abandoned for lack of hands.

On 29 January 2026, the Kubernetes Steering and Security Response Committees published a second more alarming joint statement, urging organisations to begin their migration immediately and qualifying the risk as “catastrophic” if users ignored the warning. On 2 February 2026, four new high-severity vulnerabilities (CVE-2026-1580, CVE-2026-24512, CVE-2026-24513, CVE-2026-24514) were disclosed, confirming that the project continues to expose its users to risks while awaiting the end of support.

What it demonstrates#

Where XZ Utils could still be classed as an extreme case — a sophisticated, potentially state-level attack against an obscure library maintained by a single volunteer — IngressNightmare forbids that consolation. There is no longer even a sophisticated attack: it is the simple arithmetic of critical volunteering catching up with global infrastructure.

Kubernetes is the de facto standard of global container orchestration, given by Google to the CNCF in 2015 and adopted by more than half of the Fortune 100. Ingress-NGINX is one of its most common entry points — the piece that decides which external traffic reaches which internal service. And it is this central piece of the device that turns out to have been held by two burnt-out volunteers, and is now retired for lack of anyone to take over the torch.

This retirement directly illustrates thesis 12: the European cloud providers who sold managed Kubernetes for years consumed Ingress-NGINX as a free service, without investing in its maintenance. The result is the programmed collapse of a component they used massively for their customers.

Sources#

• Wiz Research (March 2025), CVE-2025-1974: The IngressNightmare in Kubernetes : https://www.wiz.io/blog/ingress-nginx-kubernetes-vulnerabilities
• Kubernetes Blog (24 March 2025), Ingress-nginx CVE-2025-1974: What You Need to Know : https://kubernetes.io/blog/2025/03/24/ingress-nginx-cve-2025-1974/
• Kubernetes Blog (11 November 2025), Ingress NGINX Retirement: What You Need to Know : https://kubernetes.io/blog/2025/11/11/ingress-nginx-retirement/
• Kubernetes Blog (29 January 2026), Ingress NGINX: Statement from the Kubernetes Steering and Security Response Committees : https://kubernetes.io/blog/2026/01/29/ingress-nginx-statement/
• Datadog Security Labs (February 2026), Kubernetes project issues warning on Ingress NGINX retirement : https://securitylabs.datadoghq.com/articles/kubernetes-ingress-nginx-retirement-warning/
• Dark Reading (March 2025), ‘IngressNightmare’ Vulns Imperil Kubernetes Environments : https://www.darkreading.com/application-security/critical-ingressnightmare-vulns-kubernetes-environments

Heartbleed — The 2014 precedent#

Date of the event : April 2014 (public disclosure of CVE-2014-0160) Status : historical, fixed Manifesto theses illustrated : 7, 8, 9

The fact#

In April 2014, a critical vulnerability named Heartbleed was revealed in OpenSSL, the cryptographic library used to secure roughly two-thirds of global HTTPS traffic. The bug, present since 2012, allowed an attacker to read 64 KB of arbitrary server memory on each request, potentially exposing private keys, passwords and user sessions.

At the time of discovery, the OpenSSL project was maintained by about two principal volunteer developers (“the two Steves”, Steve Marquess and Stephen Henson), assisted by a few occasional contributors, despite being used by virtually every web server in the world. The project’s total annual budget was on the order of $2,000 in donations. Paid full-time maintainers came only after disclosure, following the creation of the Core Infrastructure Initiative.

What it demonstrates#

Heartbleed is the textbook case that founded the entire contemporary conversation on open source supply chain security. It directly triggered the creation of the Core Infrastructure Initiative (Linux Foundation, 24 April 2014) — which enabled the funding of two full-time OpenSSL developers — then of the German Sovereign Tech Fund (2022). But 10 years after Heartbleed, the XZ Utils and IngressNightmare cases show that the structural problem has not been solved — it has merely been displaced to other equally critical and equally under-maintained bricks.

Sources#

• OpenSSL, official communication (April 2014).
• Mozilla, ICANN, technical communications.
• Core Infrastructure Initiative, Linux Foundation.

Log4Shell — The 2021 precedent#

Date of the event : December 2021 (CVE-2021-44228) Status : historical, ongoing remediation Manifesto theses illustrated : 7, 8, 9

The fact#

In December 2021, a critical vulnerability named Log4Shell was revealed in Apache Log4j, the most widely used Java logging library in the world. The flaw allowed an unauthenticated attacker to execute remote code on any Java server that logged a user-controlled string. CVSS score: 10/10. The vulnerability potentially affected hundreds of millions of Java applications in production, across every sector: finance, defence, healthcare, industry.

At the time of discovery, Log4j — an Apache project — was maintained by a small team of volunteers, one of whose leads, Volkan Yazıcı, had published public messages mentioning the difficulties of volunteer work on a project of such criticality. No structured funding mechanism existed for maintenance.

What it demonstrates#

Log4Shell showed that even an established foundation like the Apache Software Foundation does not guarantee funding for the maintenance of the projects it hosts. The foundation manages intellectual property and governance, but maintainers remain largely volunteer-based. The global remediation cost of Log4Shell was estimated at several billion dollars — a sum which, redistributed pre-emptively into maintenance, would have funded dozens of full-time maintainers for decades.

Sources#

• Apache Log4j, official advisory (December 2021).
• CISA, CVE-2021-44228.
• Volkan Yazıcı, public blog post, Open Source can’t afford this anymore.

Copy Fail (CVE-2026-31431) — A nine-year logic bug in the Linux crypto kernel#

Dates : disclosure 29 April 2026; bug introduced in 2017; initial report 23 March 2026; upstream patch 1 April 2026 Status : confirmed, 100% exploitable, added to CISA’s KEV list Manifesto theses illustrated : 8, 9, 11

The fact#

On 29 April 2026, Theori disclosed Copy Fail (CVE-2026-31431), a logic flaw in the algif_aead module of the Linux kernel’s cryptographic subsystem. The defect results from the composition of three reasonable changes introduced over fourteen years (authencesn 2011, AF_ALG AEAD 2015, in-place optimisation 2017). A 732-byte Python script suffices for an unprivileged local user to obtain root rights on Ubuntu, Amazon Linux, RHEL, SUSE, Debian, Fedora and Arch Linux — every distribution shipping a kernel released between 2017 and April 2026. CVSS 7.8. CISA added the CVE to its Known Exploited Vulnerabilities catalogue.

What it demonstrates#

Copy Fail directly extends the XZ Utils / Heartbleed / Log4Shell / IngressNightmare lineage, but shifts the finding on three points.

1. The perimeter is the most-watched there is. Where Heartbleed concerned OpenSSL maintained by two volunteers and XZ Utils concerned a secondary library held by a single burnt-out maintainer, Copy Fail touches the crypto subsystem of the Linux kernel — one of the most audited layers in the world, scrutinised by commercial red team teams, by university researchers and by state security agencies. Critical volunteering is not the explanation here. It is human arithmetic itself that does not suffice for composition bugs spread across distinct files, conventions and authors.

2. A nine-year window. The defect was introduced in 2017 and detected only in March 2026. Over this period, hundreds of thousands of production deployments — from American hyperscalers to European critical infrastructures — exposed a 100% reliable privilege escalation path that no human audit was seeing. This is exactly the premise of thesis 9 of the manifesto: open source’s theoretical auditability does not produce actual auditing on the scale of its uses.

3. The discovery’s trigger is not human. Unlike the four previous cases of this family — XZ Utils discovered by chance during a benchmark, Heartbleed by Codenomicon and Google’s work, IngressNightmare by directed Wiz research, Log4Shell by coordinated communication — Copy Fail was identified by an AI-assisted analysis tool (Theori’s Xint Code). This is precisely the inversion that family 7 of this dossier analyses: code transparency, which constituted a defensive advantage when only humans read code, becomes in the AI era a terrain where the speed of discovery is multiplied — for attack as for defence, depending on who has the tools.

For the defensive AI dimension and the offensive mechanics of automated audit, see family 7 — The AI turn.

Sources#

• Theori / Xint (29 April 2026), disclosure and technical write-up : https://xint.io/blog/copy-fail-linux-distributions
• Bugcrowd (April 2026), What we know about Copy Fail (CVE-2026-31431) : https://www.bugcrowd.com/blog/what-we-know-about-copy-fail-cve-2026-31431/
• Help Net Security (30 April 2026), Nine-year-old Linux kernel flaw enables reliable local privilege escalation : https://www.helpnetsecurity.com/2026/04/30/copyfail-linux-lpe-vulnerability-cve-2026-31431/
• Debian Security Tracker, CVE-2026-31431 : https://security-tracker.debian.org/tracker/CVE-2026-31431

→ Related operational commitments#

Critical under-maintained bricks have, in fact, only one remediation: that they actually be maintained — that is, that their upkeep be funded in proportion to the use made of them.

• Publishers and providers: pay back a documented fraction of revenue to the open source projects on which the offer depends.
• User organisations: audit exposure to single-vendor dependencies and under-maintained bricks; pay back a documented fraction of the software budget to open source foundations; publicly document the supply chain’s jurisdiction.
• Developers: pay back a documented fraction of professional revenue to open source maintainers.

Full catalogue of commitments →