[c_rrodriguez]

Everybody here In jumping into the pure malice bandwagon, I have a better hypothesis.

Abandonment and inaction, the actual developers of these tools are elsewhere, oblivious to this drama, trying to make living because most of the time you are not compensated nor any corporation cares about making things sustainable at all. This is the default status of everything your fancy cloud depends on underneath.

An attacker took over of the project slowly and stayed dormant until recently.

[johnklos]

Except that doesn't match reality.

Someone has worked on xz for several years. Are you saying that this somewhat active contributor was likely actively contributing, then all of a sudden stopped, also stopped paying attention, and also allowed their account to be compromised or otherwise handed it over to a nefarious party?

That fails the sniff test.

[c_rrodriguez]

See, people drop dead from OSS projects pretty frecuently, usually because they take on other life responsabilities and there is no cushion or guard against a bus factor. Then it is very easy to get credentials compromised or have your project took over by someone else.

[ColonelPhantom]

Well, yeah. The attacker, operating largely under the name Jia Tan, has successfully manipulated the original author (Lasse Collin) to become a maintainer.

The attacker indeed laid dormant for two years, pretending to just be maintaining xz.

I really don't see any way how this wasn't malice on Jia's part. But I do think your hypothesis applies to Lasse, who was just happy someone could help him maintain xz.

[dkarras]

funding model of OSS work is obviously a problem, but these problems are deeper than that. even a very well compensated OSS developer can get a knock on the door from a government agency (or anyone with a "$5 wrench")[1] and they might feel "compelled" to give up their maintainer creds.

[1]: https://xkcd.com/538/