{"id":"https://openalex.org/W4411271230","doi":"https://doi.org/10.1109/msr66628.2025.00026","title":"Wolves in the Repository: A Software Engineering Analysis of the XZ Utils Supply Chain Attack","display_name":"Wolves in the Repository: A Software Engineering Analysis of the XZ Utils Supply Chain Attack","publication_year":2025,"publication_date":"2025-04-28","ids":{"openalex":"https://openalex.org/W4411271230","doi":"https://doi.org/10.1109/msr66628.2025.00026"},"language":"en","primary_location":{"id":"doi:10.1109/msr66628.2025.00026","is_oa":false,"landing_page_url":"https://doi.org/10.1109/msr66628.2025.00026","pdf_url":null,"source":null,"license":null,"license_id":null,"version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"2025 IEEE/ACM 22nd International Conference on Mining Software Repositories (MSR)","raw_type":"proceedings-article"},"type":"article","indexed_in":["crossref"],"open_access":{"is_oa":false,"oa_status":"closed","oa_url":null,"any_repository_has_fulltext":false},"authorships":[{"author_position":"first","author":{"id":"https://openalex.org/A5053506993","display_name":"Piotr Przymus","orcid":"https://orcid.org/0000-0001-9548-2388"},"institutions":[{"id":"https://openalex.org/I3019271933","display_name":"Nicolaus Copernicus University","ror":"https://ror.org/0102mm775","country_code":"PL","type":"education","lineage":["https://openalex.org/I3019271933"]}],"countries":["PL"],"is_corresponding":false,"raw_author_name":"Piotr Przymus","raw_affiliation_strings":["Nicolaus Copernicus University in Toruń,Poland"],"raw_orcid":null,"affiliations":[{"raw_affiliation_string":"Nicolaus Copernicus University in Toruń,Poland","institution_ids":["https://openalex.org/I3019271933"]}]},{"author_position":"last","author":{"id":"https://openalex.org/A5043941055","display_name":"Thomas Durieux","orcid":"https://orcid.org/0000-0002-1996-6134"},"institutions":[{"id":"https://openalex.org/I98358874","display_name":"Delft University of Technology","ror":"https://ror.org/02e2c7k09","country_code":"NL","type":"education","lineage":["https://openalex.org/I98358874"]}],"countries":["NL"],"is_corresponding":false,"raw_author_name":"Thomas Durieux","raw_affiliation_strings":["TU Delft & Endor Labs,The Netherlands"],"raw_orcid":null,"affiliations":[{"raw_affiliation_string":"TU Delft & Endor Labs,The Netherlands","institution_ids":["https://openalex.org/I98358874"]}]}],"institutions":[],"countries_distinct_count":2,"institutions_distinct_count":2,"corresponding_author_ids":[],"corresponding_institution_ids":[],"apc_list":null,"apc_paid":null,"fwci":7.0768,"has_fulltext":false,"cited_by_count":3,"citation_normalized_percentile":{"value":0.96592174,"is_in_top_1_percent":false,"is_in_top_10_percent":true},"cited_by_percentile_year":{"min":95,"max":98},"biblio":{"volume":null,"issue":null,"first_page":"91","last_page":"102"},"is_retracted":false,"is_paratext":false,"is_xpac":false,"primary_topic":{"id":"https://openalex.org/T10430","display_name":"Software Engineering Techniques and Practices","score":0.9969000220298767,"subfield":{"id":"https://openalex.org/subfields/1710","display_name":"Information Systems"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},"topics":[{"id":"https://openalex.org/T10430","display_name":"Software Engineering Techniques and Practices","score":0.9969000220298767,"subfield":{"id":"https://openalex.org/subfields/1710","display_name":"Information Systems"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T10260","display_name":"Software Engineering Research","score":0.9968000054359436,"subfield":{"id":"https://openalex.org/subfields/1710","display_name":"Information Systems"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T11241","display_name":"Advanced Malware Detection Techniques","score":0.9894999861717224,"subfield":{"id":"https://openalex.org/subfields/1711","display_name":"Signal Processing"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}}],"keywords":[{"id":"https://openalex.org/keywords/supply-chain","display_name":"Supply chain","score":0.6160625219345093},{"id":"https://openalex.org/keywords/computer-science","display_name":"Computer science","score":0.5223875641822815},{"id":"https://openalex.org/keywords/software","display_name":"Software","score":0.4807886481285095},{"id":"https://openalex.org/keywords/software-engineering","display_name":"Software engineering","score":0.41098111867904663},{"id":"https://openalex.org/keywords/computer-security","display_name":"Computer security","score":0.32927167415618896},{"id":"https://openalex.org/keywords/business","display_name":"Business","score":0.21753016114234924},{"id":"https://openalex.org/keywords/operating-system","display_name":"Operating system","score":0.11230063438415527},{"id":"https://openalex.org/keywords/marketing","display_name":"Marketing","score":0.07256942987442017}],"concepts":[{"id":"https://openalex.org/C108713360","wikidata":"https://www.wikidata.org/wiki/Q1824206","display_name":"Supply chain","level":2,"score":0.6160625219345093},{"id":"https://openalex.org/C41008148","wikidata":"https://www.wikidata.org/wiki/Q21198","display_name":"Computer science","level":0,"score":0.5223875641822815},{"id":"https://openalex.org/C2777904410","wikidata":"https://www.wikidata.org/wiki/Q7397","display_name":"Software","level":2,"score":0.4807886481285095},{"id":"https://openalex.org/C115903868","wikidata":"https://www.wikidata.org/wiki/Q80993","display_name":"Software engineering","level":1,"score":0.41098111867904663},{"id":"https://openalex.org/C38652104","wikidata":"https://www.wikidata.org/wiki/Q3510521","display_name":"Computer security","level":1,"score":0.32927167415618896},{"id":"https://openalex.org/C144133560","wikidata":"https://www.wikidata.org/wiki/Q4830453","display_name":"Business","level":0,"score":0.21753016114234924},{"id":"https://openalex.org/C111919701","wikidata":"https://www.wikidata.org/wiki/Q9135","display_name":"Operating system","level":1,"score":0.11230063438415527},{"id":"https://openalex.org/C162853370","wikidata":"https://www.wikidata.org/wiki/Q39809","display_name":"Marketing","level":1,"score":0.07256942987442017}],"mesh":[],"locations_count":1,"locations":[{"id":"doi:10.1109/msr66628.2025.00026","is_oa":false,"landing_page_url":"https://doi.org/10.1109/msr66628.2025.00026","pdf_url":null,"source":null,"license":null,"license_id":null,"version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"2025 IEEE/ACM 22nd International Conference on Mining Software Repositories (MSR)","raw_type":"proceedings-article"}],"best_oa_location":null,"sustainable_development_goals":[{"score":0.41999998688697815,"id":"https://metadata.un.org/sdg/9","display_name":"Industry, innovation and infrastructure"}],"awards":[],"funders":[],"has_content":{"grobid_xml":false,"pdf":false},"content_urls":null,"referenced_works_count":16,"referenced_works":["https://openalex.org/W1974390525","https://openalex.org/W2010945870","https://openalex.org/W2036398651","https://openalex.org/W2046645722","https://openalex.org/W2735173242","https://openalex.org/W2904853825","https://openalex.org/W2969343988","https://openalex.org/W3090088279","https://openalex.org/W3094417370","https://openalex.org/W3163740924","https://openalex.org/W3205330424","https://openalex.org/W4300165808","https://openalex.org/W4310067844","https://openalex.org/W4394672813","https://openalex.org/W4411088256","https://openalex.org/W6759246942"],"related_works":["https://openalex.org/W4391375266","https://openalex.org/W2899084033","https://openalex.org/W2748952813","https://openalex.org/W2390279801","https://openalex.org/W4391913857","https://openalex.org/W2358668433","https://openalex.org/W4396701345","https://openalex.org/W2376932109","https://openalex.org/W2001405890","https://openalex.org/W4396696052"],"abstract_inverted_index":{"The":[0],"digital":[1],"economy":[2],"runs":[3],"on":[4,46],"Open":[5],"Source":[6],"Software":[7],"(OSS),":[8],"with":[9],"an":[10],"estimated":[11],"90%":[12],"of":[13,80,109,123],"modern":[14],"applications":[15],"containing":[16],"open-source":[17,61,167],"components.":[18],"While":[19],"this":[20],"widespread":[21],"adoption":[22],"has":[23,28],"revolutionized":[24],"software":[25,86,155],"development,":[26],"it":[27],"also":[29],"created":[30],"critical":[31],"security":[32,143,150],"vulnerabilities,":[33],"particularly":[34],"in":[35],"essential":[36],"but":[37,58],"underresourced":[38],"projects.":[39],"This":[40,145],"paper":[41],"examines":[42],"a":[43,66,69,77,106],"sophisticated":[44],"attack":[45,83,118],"the":[47,59,117,121,166],"XZ":[48],"Utils":[49],"project":[50,136],"(CVE-2024-3094),":[51],"where":[52],"attackers":[53,130],"exploited":[54],"not":[55],"just":[56],"code,":[57],"entire":[60],"development":[62,113],"process":[63],"to":[64,94,98,135,140],"inject":[65],"backdoor":[67],"into":[68],"fundamental":[70],"Linux":[71],"compression":[72],"library.":[73],"Our":[74,126],"analysis":[75,151],"reveals":[76],"new":[78],"breed":[79],"supply":[81],"chain":[82],"that":[84],"manipulates":[85],"engineering":[87,156],"practices":[88,157],"themselves":[89,158],"-":[90,97],"from":[91],"community":[92],"management":[93],"CI/CD":[95],"configurations":[96],"establish":[99],"legitimacy":[100],"and":[101,112,138],"maintain":[102],"long-term":[103],"control.":[104],"Through":[105],"comprehensive":[107],"examination":[108],"GitHub":[110],"events":[111],"artifacts,":[114],"we":[115],"reconstruct":[116],"timeline,":[119],"analyze":[120],"evolution":[122],"attacker":[124],"tactics.":[125],"findings":[127],"demonstrate":[128],"how":[129,154],"leveraged":[131],"seemingly":[132],"beneficial":[133],"contributions":[134],"infrastructure":[137],"maintenance":[139],"bypass":[141],"traditional":[142,149],"measures.":[144],"work":[146],"extends":[147],"beyond":[148],"by":[152],"examining":[153],"can":[159],"be":[160],"weaponized,":[161],"offering":[162],"insights":[163],"for":[164],"protecting":[165],"ecosystem.":[168]},"counts_by_year":[{"year":2026,"cited_by_count":1},{"year":2025,"cited_by_count":2}],"updated_date":"2026-06-11T09:08:48.828518","created_date":"2025-10-10T00:00:00"}