A sophisticated multi-year operation planted a nearly undetectable backdoor in the widely used XZ Utils compression library (v5.6.0/5.6.1), enabling remote code execution via SSH. Discovered only by sheer luck during performance analysis, this supply chain attack highlights critical vulnerabilities in open-source maintenance and the terrifying potential of social engineering targeting key maintainers.