The XZ Utils backdoor was a wake-up call, but the underlying problem it exposed has not gone away. Sophisticated adversaries are playing the long game, spending months or years earning trust within open source projects before introducing malicious code into libraries that sit at the foundation of modern software infrastructure. Mike Vizard and Josh Bressers, VP of security at Anchore, dig into why the software supply chain remains dangerously vulnerable and what the industry is getting wrong in its response.
Bressers points out that the vast majority of open source projects are maintained by a single person or a very small group of volunteers. These maintainers are often overworked and under-resourced, managing critical dependencies that thousands of organizations rely on in production. When an attacker targets one of these projects, the maintainer is the entire security perimeter. No amount of scanning or compliance tooling downstream can fully compensate for a compromise that happens at the source.
The instinct for most organizations is to throw money or tooling at the problem, but Bressers argues that approach misses the point. Running vulnerability scanners is necessary but insufficient. The deeper issue is that companies consuming open source at scale are not contributing back in meaningful ways, whether through code review, maintenance support or funding that actually reaches the people doing the work. The supply chain cannot be secured from the outside alone.
Trust has functioned as the default security model for open source adoption, and the XZ Utils incident demonstrated exactly how that model can be exploited. Moving to a “trust but verify” approach requires organizations to understand what is actually in their dependency trees and to take an active role in protecting the projects they depend on.