{"id":"https://openalex.org/W4415307550","doi":"https://doi.org/10.48550/arxiv.2504.17473","title":"Wolves in the Repository: A Software Engineering Analysis of the XZ Utils Supply Chain Attack","display_name":"Wolves in the Repository: A Software Engineering Analysis of the XZ Utils Supply Chain Attack","publication_year":2025,"publication_date":"2025-04-24","ids":{"openalex":"https://openalex.org/W4415307550","doi":"https://doi.org/10.48550/arxiv.2504.17473"},"language":"en","primary_location":{"id":"pmh:oai:arXiv.org:2504.17473","is_oa":true,"landing_page_url":"http://arxiv.org/abs/2504.17473","pdf_url":"https://arxiv.org/pdf/2504.17473","source":{"id":"https://openalex.org/S4393918464","display_name":"ArXiv.org","issn_l":"2331-8422","issn":["2331-8422"],"is_oa":true,"is_in_doaj":false,"is_core":false,"host_organization":null,"host_organization_name":null,"host_organization_lineage":[],"host_organization_lineage_names":[],"type":"repository"},"license":null,"license_id":null,"version":"submittedVersion","is_accepted":false,"is_published":false,"raw_source_name":null,"raw_type":"text"},"type":"preprint","indexed_in":["arxiv","datacite"],"open_access":{"is_oa":true,"oa_status":"green","oa_url":"https://arxiv.org/pdf/2504.17473","any_repository_has_fulltext":true},"authorships":[{"author_position":"first","author":{"id":"https://openalex.org/A5053506993","display_name":"Piotr Przymus","orcid":"https://orcid.org/0000-0001-9548-2388"},"institutions":[{"id":"https://openalex.org/I3019271933","display_name":"Nicolaus Copernicus University","ror":"https://ror.org/0102mm775","country_code":"PL","type":"education","lineage":["https://openalex.org/I3019271933"]}],"countries":["PL"],"is_corresponding":false,"raw_author_name":"Przymus, Piotr","raw_affiliation_strings":["Nicolaus Copernicus University in Torun, Poland"],"raw_orcid":null,"affiliations":[{"raw_affiliation_string":"Nicolaus Copernicus University in Torun, Poland","institution_ids":["https://openalex.org/I3019271933"]}]},{"author_position":"last","author":{"id":"https://openalex.org/A5043941055","display_name":"Thomas Durieux","orcid":"https://orcid.org/0000-0002-1996-6134"},"institutions":[{"id":"https://openalex.org/I4210161856","display_name":"Science and Technology Corporation (Netherlands)","ror":"https://ror.org/050regf97","country_code":"NL","type":"company","lineage":["https://openalex.org/I4210161856"]}],"countries":["NL"],"is_corresponding":false,"raw_author_name":"Durieux, Thomas","raw_affiliation_strings":["TU Delft & Endor Labs, The Netherlands"],"raw_orcid":null,"affiliations":[{"raw_affiliation_string":"TU Delft & Endor Labs, The Netherlands","institution_ids":["https://openalex.org/I4210161856"]}]}],"institutions":[],"countries_distinct_count":2,"institutions_distinct_count":2,"corresponding_author_ids":[],"corresponding_institution_ids":[],"apc_list":null,"apc_paid":null,"fwci":null,"has_fulltext":true,"cited_by_count":0,"citation_normalized_percentile":null,"cited_by_percentile_year":null,"biblio":{"volume":null,"issue":null,"first_page":null,"last_page":null},"is_retracted":false,"is_paratext":false,"is_xpac":false,"primary_topic":{"id":"https://openalex.org/T10430","display_name":"Software Engineering Techniques and Practices","score":0.9204000234603882,"subfield":{"id":"https://openalex.org/subfields/1710","display_name":"Information Systems"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},"topics":[{"id":"https://openalex.org/T10430","display_name":"Software Engineering Techniques and Practices","score":0.9204000234603882,"subfield":{"id":"https://openalex.org/subfields/1710","display_name":"Information Systems"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}}],"keywords":[{"id":"https://openalex.org/keywords/backdoor","display_name":"Backdoor","score":0.5503000020980835},{"id":"https://openalex.org/keywords/software-security-assurance","display_name":"Software security assurance","score":0.4830999970436096},{"id":"https://openalex.org/keywords/software","display_name":"Software","score":0.4699999988079071},{"id":"https://openalex.org/keywords/software-development","display_name":"Software development","score":0.439300000667572},{"id":"https://openalex.org/keywords/process","display_name":"Process (computing)","score":0.41350001096725464},{"id":"https://openalex.org/keywords/supply-chain","display_name":"Supply chain","score":0.41200000047683716},{"id":"https://openalex.org/keywords/work","display_name":"Work (physics)","score":0.40130001306533813},{"id":"https://openalex.org/keywords/software-development-process","display_name":"Software development process","score":0.39399999380111694},{"id":"https://openalex.org/keywords/security-bug","display_name":"Security bug","score":0.37560001015663147}],"concepts":[{"id":"https://openalex.org/C38652104","wikidata":"https://www.wikidata.org/wiki/Q3510521","display_name":"Computer security","level":1,"score":0.6466000080108643},{"id":"https://openalex.org/C2781045450","wikidata":"https://www.wikidata.org/wiki/Q254569","display_name":"Backdoor","level":2,"score":0.5503000020980835},{"id":"https://openalex.org/C62913178","wikidata":"https://www.wikidata.org/wiki/Q7554361","display_name":"Software security assurance","level":4,"score":0.4830999970436096},{"id":"https://openalex.org/C2777904410","wikidata":"https://www.wikidata.org/wiki/Q7397","display_name":"Software","level":2,"score":0.4699999988079071},{"id":"https://openalex.org/C41008148","wikidata":"https://www.wikidata.org/wiki/Q21198","display_name":"Computer science","level":0,"score":0.44839999079704285},{"id":"https://openalex.org/C529173508","wikidata":"https://www.wikidata.org/wiki/Q638608","display_name":"Software development","level":3,"score":0.439300000667572},{"id":"https://openalex.org/C98045186","wikidata":"https://www.wikidata.org/wiki/Q205663","display_name":"Process (computing)","level":2,"score":0.41350001096725464},{"id":"https://openalex.org/C108713360","wikidata":"https://www.wikidata.org/wiki/Q1824206","display_name":"Supply chain","level":2,"score":0.41200000047683716},{"id":"https://openalex.org/C18762648","wikidata":"https://www.wikidata.org/wiki/Q42213","display_name":"Work (physics)","level":2,"score":0.40130001306533813},{"id":"https://openalex.org/C180152950","wikidata":"https://www.wikidata.org/wiki/Q2904257","display_name":"Software development process","level":4,"score":0.39399999380111694},{"id":"https://openalex.org/C112930515","wikidata":"https://www.wikidata.org/wiki/Q4389547","display_name":"Risk analysis (engineering)","level":1,"score":0.38589999079704285},{"id":"https://openalex.org/C131275738","wikidata":"https://www.wikidata.org/wiki/Q7445023","display_name":"Security bug","level":5,"score":0.37560001015663147},{"id":"https://openalex.org/C182500959","wikidata":"https://www.wikidata.org/wiki/Q7551380","display_name":"Social software engineering","level":5,"score":0.3749000132083893},{"id":"https://openalex.org/C140547941","wikidata":"https://www.wikidata.org/wiki/Q7797194","display_name":"Threat model","level":2,"score":0.33629998564720154},{"id":"https://openalex.org/C127413603","wikidata":"https://www.wikidata.org/wiki/Q11023","display_name":"Engineering","level":0,"score":0.3292999863624573},{"id":"https://openalex.org/C207850805","wikidata":"https://www.wikidata.org/wiki/Q269608","display_name":"Reverse engineering","level":2,"score":0.32030001282691956},{"id":"https://openalex.org/C184356942","wikidata":"https://www.wikidata.org/wiki/Q830382","display_name":"Best practice","level":2,"score":0.3122999966144562},{"id":"https://openalex.org/C144133560","wikidata":"https://www.wikidata.org/wiki/Q4830453","display_name":"Business","level":0,"score":0.3025999963283539},{"id":"https://openalex.org/C32896092","wikidata":"https://www.wikidata.org/wiki/Q189447","display_name":"Risk management","level":2,"score":0.29159998893737793},{"id":"https://openalex.org/C22680326","wikidata":"https://www.wikidata.org/wiki/Q7444867","display_name":"Secure coding","level":5,"score":0.2867000102996826},{"id":"https://openalex.org/C165609540","wikidata":"https://www.wikidata.org/wiki/Q1172486","display_name":"Data breach","level":2,"score":0.28540000319480896},{"id":"https://openalex.org/C46295352","wikidata":"https://www.wikidata.org/wiki/Q207982","display_name":"Legitimacy","level":3,"score":0.2743000090122223},{"id":"https://openalex.org/C149091818","wikidata":"https://www.wikidata.org/wiki/Q2429814","display_name":"Software system","level":3,"score":0.2680000066757202},{"id":"https://openalex.org/C44104985","wikidata":"https://www.wikidata.org/wiki/Q492886","display_name":"Supply chain management","level":3,"score":0.2662000060081482},{"id":"https://openalex.org/C195094911","wikidata":"https://www.wikidata.org/wiki/Q14167904","display_name":"Process management","level":1,"score":0.25609999895095825},{"id":"https://openalex.org/C541664917","wikidata":"https://www.wikidata.org/wiki/Q14001","display_name":"Malware","level":2,"score":0.25540000200271606},{"id":"https://openalex.org/C2780741293","wikidata":"https://www.wikidata.org/wiki/Q4818019","display_name":"Attack patterns","level":3,"score":0.2526000142097473}],"mesh":[],"locations_count":2,"locations":[{"id":"pmh:oai:arXiv.org:2504.17473","is_oa":true,"landing_page_url":"http://arxiv.org/abs/2504.17473","pdf_url":"https://arxiv.org/pdf/2504.17473","source":{"id":"https://openalex.org/S4393918464","display_name":"ArXiv.org","issn_l":"2331-8422","issn":["2331-8422"],"is_oa":true,"is_in_doaj":false,"is_core":false,"host_organization":null,"host_organization_name":null,"host_organization_lineage":[],"host_organization_lineage_names":[],"type":"repository"},"license":null,"license_id":null,"version":"submittedVersion","is_accepted":false,"is_published":false,"raw_source_name":null,"raw_type":"text"},{"id":"doi:10.48550/arxiv.2504.17473","is_oa":true,"landing_page_url":"https://doi.org/10.48550/arxiv.2504.17473","pdf_url":null,"source":{"id":"https://openalex.org/S4306400194","display_name":"arXiv (Cornell University)","issn_l":null,"issn":null,"is_oa":true,"is_in_doaj":false,"is_core":false,"host_organization":"https://openalex.org/I205783295","host_organization_name":"Cornell University","host_organization_lineage":["https://openalex.org/I205783295"],"host_organization_lineage_names":[],"type":"repository"},"license":null,"license_id":null,"version":null,"is_accepted":false,"is_published":null,"raw_source_name":null,"raw_type":"article"}],"best_oa_location":{"id":"pmh:oai:arXiv.org:2504.17473","is_oa":true,"landing_page_url":"http://arxiv.org/abs/2504.17473","pdf_url":"https://arxiv.org/pdf/2504.17473","source":{"id":"https://openalex.org/S4393918464","display_name":"ArXiv.org","issn_l":"2331-8422","issn":["2331-8422"],"is_oa":true,"is_in_doaj":false,"is_core":false,"host_organization":null,"host_organization_name":null,"host_organization_lineage":[],"host_organization_lineage_names":[],"type":"repository"},"license":null,"license_id":null,"version":"submittedVersion","is_accepted":false,"is_published":false,"raw_source_name":null,"raw_type":"text"},"sustainable_development_goals":[],"awards":[],"funders":[],"has_content":{"pdf":true,"grobid_xml":true},"content_urls":{"pdf":"https://content.openalex.org/works/W4415307550.pdf","grobid_xml":"https://content.openalex.org/works/W4415307550.grobid-xml"},"referenced_works_count":0,"referenced_works":[],"related_works":[],"abstract_inverted_index":{"The":[0],"digital":[1],"economy":[2],"runs":[3],"on":[4,46],"Open":[5],"Source":[6],"Software":[7],"(OSS),":[8],"with":[9],"an":[10],"estimated":[11],"90\\%":[12],"of":[13,80,109,123],"modern":[14],"applications":[15],"containing":[16],"open-source":[17,61,167],"components.":[18],"While":[19],"this":[20],"widespread":[21],"adoption":[22],"has":[23,28],"revolutionized":[24],"software":[25,86,155],"development,":[26],"it":[27],"also":[29],"created":[30],"critical":[31],"security":[32,143,150],"vulnerabilities,":[33],"particularly":[34],"in":[35],"essential":[36],"but":[37,58],"under-resourced":[38],"projects.":[39],"This":[40,145],"paper":[41],"examines":[42],"a":[43,66,69,77,106],"sophisticated":[44],"attack":[45,83,118],"the":[47,59,117,121,166],"XZ":[48],"Utils":[49],"project":[50,136],"(CVE-2024-3094),":[51],"where":[52],"attackers":[53,130],"exploited":[54],"not":[55],"just":[56],"code,":[57],"entire":[60],"development":[62,113],"process":[63],"to":[64,94,98,135,140],"inject":[65],"backdoor":[67],"into":[68],"fundamental":[70],"Linux":[71],"compression":[72],"library.":[73],"Our":[74,126],"analysis":[75,151],"reveals":[76],"new":[78],"breed":[79],"supply":[81],"chain":[82],"that":[84],"manipulates":[85],"engineering":[87,156],"practices":[88,157],"themselves":[89,158],"--":[90,97],"from":[91],"community":[92],"management":[93],"CI/CD":[95],"configurations":[96],"establish":[99],"legitimacy":[100],"and":[101,112,138],"maintain":[102],"long-term":[103],"control.":[104],"Through":[105],"comprehensive":[107],"examination":[108],"GitHub":[110],"events":[111],"artifacts,":[114],"we":[115],"reconstruct":[116],"timeline,":[119],"analyze":[120],"evolution":[122],"attacker":[124],"tactics.":[125],"findings":[127],"demonstrate":[128],"how":[129,154],"leveraged":[131],"seemingly":[132],"beneficial":[133],"contributions":[134],"infrastructure":[137],"maintenance":[139],"bypass":[141],"traditional":[142,149],"measures.":[144],"work":[146],"extends":[147],"beyond":[148],"by":[152],"examining":[153],"can":[159],"be":[160],"weaponized,":[161],"offering":[162],"insights":[163],"for":[164],"protecting":[165],"ecosystem.":[168]},"counts_by_year":[],"updated_date":"2026-06-11T09:08:48.828518","created_date":"2025-10-18T00:00:00"}