https://manuelfedele.github.io/tags/infra/Recent content in Infra on Git Push and RunHugo -- gohugo.ioen© 2026 Manuel FedeleSun, 05 Apr 2026 10:00:00 +0100https://manuelfedele.github.io/posts/xz-utils-backdoor-the-git-tarball-gap/Sun, 05 Apr 2026 10:00:00 +0100https://manuelfedele.github.io/posts/xz-utils-backdoor-the-git-tarball-gap/<div class="lead text-neutral-500 dark:text-neutral-400 !mb-9 text-xl"> CVE-2024-3094 was not just a backdoor. It was a two-year infiltration campaign that exploited a structural blind spot in how open source software is actually distributed. The malicious code was never committed to git at all. </div> <p>In March 2024, Andres Freund, a Microsoft engineer, noticed that SSH logins on his Debian testing machine were taking about 500ms longer than expected and consuming anomalous CPU. He spent several hours tracing the cause. What he found was one of the most sophisticated supply chain attacks ever discovered in open source software.</p>