A stealth attack came close to compromising the world’s computers

On March 29th Andres Freund, an engineer at Microsoft, published a short detective story. In recent weeks he had noticed that SSH—a system to log on securely to another device over the internet—was running about 500 milliseconds more slowly than expected. Closer inspection revealed malicious code embedded deep inside XZ Utils, a piece of software designed for compressing data used inside the Linux operating system, which runs on virtually all publicly accessible internet servers. Those servers ultimately undergird the internet, including vital financial and government services. The malware would have served as a “master key”, allowing attackers to steal encrypted data or plant other malware.