[hintymad]

From what I read, it looks it was not really social engineering per se but the good old way of earning trust, just like any ordinary engineer: the intruder joined the project three years ago and started to contributed patches. He also made good suggestions on design changes. Eventually he became a committer because he consistently made value contributions to the project.

P.S., this does not look like an individual behavior. It's hard to imagine that an individual would spend three years just to plant a backdoor in sshd.

[puffybuf]

It looks like he made multiple sock puppet accounts talking to himself on the mailing lists: https://boehs.org/node/everything-i-know-about-the-xz-backdo...

He made a sock puppet asking debian to update the package in 'unstable'. (along with other package update requests so it wouldn't look suspicious).

[em-bee]

given how widespread sshd is, i'd think it is realistic because the payoff would just be worth it if successful. the whole thing is also complex enough that it would take a while to develop. the attacker starts learning the internals of xz and in the process they develop the skills to contribute patches. so development of the attack and gaining trust go hand in hand.

[lamontcg]

I mean that is still social engineering, it is just really long-game social engineering.

And IDK that we've entirely ruled out that Jia Tan didn't wind up being blackmailed or coerced or something -- although if they were really running sockpuppets to get themselves added to the project up front that is probably less likely.