Half a Second: How a Tiny Delay Revealed the XZ Utils Backdoor

Half a Second – a book about the XZ backdoor

12zvr💬 3
Half a Second: How a Tiny Delay Revealed the XZ Utils Backdoor

I tell the story of how a Microsoft engineer's curiosity about a half-second delay uncovered a two-year infiltration of XZ Utils. This narrative exposes how critical open-source infrastructure often relies on exhausted, unpaid volunteers, leaving the digital world vulnerable to hidden threats that only luck and instinct can detect.

"The same economy that funds the big, visible pieces leaves many of the small, unglamorous ones that everything also depends on to a handful of volunteers, often unpaid and overstretched."

HN discussion

  • Critics argue the book lacks sufficient public information on the XZ Utils backdoor to warrant a standalone publication, suggesting the AI-generated text is an inefficient way to learn the topic.
  • Defenders contend that synthesizing existing data into a cohesive narrative for general readers is a valuable form of conceptual work, and that using AI as a force multiplier does not invalidate the output.
  • Skeptics point to stylistic anomalies like excessive em-dashes and a lack of coherent authorial intent as strong indicators that the text was generated by an LLM rather than written by a human.
  • One commenter proposes a novel attack vector where adversaries monitor GitHub repositories for archiving events to quickly fork and take over abandoned open-source projects.
  • Advanced analysis of the XZ backdoor should integrate GitHub API activity, mailing list correspondence, and public-facing actions to estimate the number of attackers and their operational latency.

More from this day · 2026-07-19