This paper investigates the XZ Utils backdoor attack (CVE-2024-3094), a paradigmatic supply chain compromise, revealing how attackers systematically manipulate open-source collaboration processes—including community governance, contribution review, and CI/CD infrastructure—to establish long-term trust and stealthy persistence. Unlike conventional research focused on code or build artifacts, this work identifies software engineering practices themselves as an attack surface. Method: Leveraging GitHub event log mining, temporal behavioral modeling, contributor pattern analysis, and infrastructure configuration auditing, we reconstruct the full attack timeline and validate that legitimate-seeming maintenance activities evaded existing security checks. Contribution/Results: We introduce the novel concept of “process-level supply chain attacks” and propose a practical, deployable framework for detecting process anomalies in open-source projects, along with actionable governance enhancement strategies to strengthen ecosystem resilience.

The digital economy runs on Open Source Software (OSS), with an estimated 90% of modern applications containing open-source components. While this widespread adoption has revolutionized software development, it has also created critical security vulnerabilities, particularly in essential but under-resourced projects. This paper examines a sophisticated attack on the XZ Utils project (CVE-2024-3094), where attackers exploited not just code, but the entire open-source development process to inject a backdoor into a fundamental Linux compression library. Our analysis reveals a new breed of supply chain attack that manipulates software engineering practices themselves -- from community management to CI/CD configurations -- to establish legitimacy and maintain long-term control. Through a comprehensive examination of GitHub events and development artifacts, we reconstruct the attack timeline, analyze the evolution of attacker tactics. Our findings demonstrate how attackers leveraged seemingly beneficial contributions to project infrastructure and maintenance to bypass traditional security measures. This work extends beyond traditional security analysis by examining how software engineering practices themselves can be weaponized, offering insights for protecting the open-source ecosystem.