Somewhere buried inside the software stack of a major bank, a cloud platform, or a government server is a small chunk of code written by a single developer in the late 1990s or early 2000s. That developer has probably moved on. Maybe retired. Maybe just stopped caring. The code is still there, untouched, doing its quiet job, holding up digital infrastructure worth trillions of dollars.

This is not a hypothetical.

What Actually Happened

In late March 2024, a Microsoft engineer named Andres Freund noticed something odd. SSH logins on his Debian test system were running about 500 milliseconds slower than expected. Half a second. The kind of lag most people blame on the network and forget about immediately.

Freund kept pulling the thread.

What he eventually found was not a misconfiguration. It was a carefully constructed, multi-layered backdoor embedded inside XZ Utils – a foundational compression library present on virtually every major Linux distribution. The kind of software that quietly ships with routers, web servers, smartphones, and the infrastructure running cloud networks globally.

The severity rating assigned to the vulnerability was a 10.0 out of 10. The maximum score possible. Computer scientist Alex Stamos called it potentially “the most widespread and effective backdoor ever planted in any software product.” Had it reached stable Linux distributions before being caught, it would have granted remote, unauthenticated access to potentially millions of servers running systemd-linked OpenSSH. Banking apps. Cloud infrastructure. Government systems.

It was caught. Barely.

The One Guy in Nebraska Problem

There is a famous XKCD comic that illustrates this perfectly. All of modern digital infrastructure balanced on top of a single small block, labeled: “a project some random person in Nebraska has been thanklessly maintaining since 2003.” It was drawn as a joke. It is not a joke.

XZ Utils was primarily maintained by one volunteer who maintained the open source software for free. When that volunteer ran into personal difficulties, they passed maintenance responsibilities to a new contributor going by “Jia Tan.” That new contributor spent nearly two years building credibility inside the project before inserting a backdoor that enabled full remote code execution on any affected machine. Based on the sophistication and the multi-year timeframe, researchers believe the actor is likely a state-aligned entity.

Slight tangent worth noting: this same pattern had already played out once before with OpenSSL and Heartbleed in 2014. A team of no more than three or four developers was responsible for maintaining nearly half a million lines of code securing two-thirds of all web servers on the internet at the time. The attack surface does not shrink. The maintainer headcount does not grow. That gap is exactly where adversaries operate.

The Scale of the Problem

This is not isolated. According to Sonatype’s 2024 State of the Software Supply Chain Report:

• 1 in 8 open-source downloads in 2023 contained a known vulnerability
• Supply chain attacks targeting upstream dependencies increased 742% over three years
• The average detection time for a compromised package was 218 days
• 84% of codebases analyzed contained at least one known vulnerability

Ingress-Nginx, considered vital infrastructure in cloud-native environments, had only two people doing development work on their own time after work and on weekends before its maintainers recently signaled they could no longer sustain it. That is not an edge case. It is the standard operating model for much of the internet’s invisible backbone.

And the problem is getting more acute, not less. As AI accelerates both software development and the discovery of vulnerabilities, maintainers are being flooded with security findings without the resources to triage and address them.

Where the Money Is Going

The XZ incident triggered a wave of institutional acknowledgment that this problem is real and needs funded solutions. In March 2026, the Linux Foundation announced $12.5 million in grant funding from Anthropic, AWS, GitHub, Google, Google DeepMind, Microsoft, and OpenAI directed at securing the open source ecosystem. The money flows through Alpha-Omega and the OpenSSF. It is a start. It is also a signal that the biggest tech companies now treat this as infrastructure spending, not charity.

For investors, that shift in posture matters.

Companies to Watch

The ghost code problem is a structural demand driver for the cybersecurity sector. Every supply chain attack – and they are accelerating – pushes more enterprise budget toward detection, monitoring, and response platforms. Global cybersecurity spending is projected near $248 billion in 2026, building on Gartner’s $213 billion estimate for 2025. The sector remains one of the most recession-resistant areas in technology because security spending is non-discretionary.

• CrowdStrike (CRWD) – Fiscal year 2026 revenue reached $4.81 billion, up 22% year-over-year. Annual recurring revenue hit $5.25 billion with 97% gross retention. The platform approach, anchored by the Falcon suite, covers endpoint security, threat intelligence, cloud workload protection, and identity. Morgan Stanley cites CrowdStrike’s kernel-level access in Microsoft environments and large proprietary data as a durable edge in AI-driven threat detection.
• Palo Alto Networks (PANW) – The largest pure-play cybersecurity company by revenue and market cap. Its platformization strategy is designed to consolidate customers onto unified security platforms, reducing the fragmented vendor exposure that supply chain attackers exploit. Trading at a pullback from its October 2025 highs, which creates a potentially better entry for patient buyers.
• SentinelOne (S) – At roughly 3.5x revenue, SentinelOne offers asymmetric risk-reward relative to larger peers. Its AI-native Singularity Platform is built for automated detection at the speed supply chain attacks now demand. Morgan Stanley’s top cybersecurity picks heading into the back half of 2026 include SentinelOne, targeting 20% revenue growth in FY27.
• Fortinet (FTNT) – Fortinet offers the best value in the sector at roughly 30x forward earnings, combining firewall hardware leadership with a growing cloud security stack. Less headline risk than the pure-plays, more cash generation.
• First Trust NASDAQ Cybersecurity ETF (CIBR) – With $9.44 billion in AUM and an expense ratio of 0.58%, CIBR holds 30 cybersecurity names including CrowdStrike, Palo Alto, Broadcom, and Cisco as its top four weights. For bargain hunters who would rather not concentrate in a single name, this is the basket.

The Cheap Investor Scorecard

• Did the XZ incident reach stable Linux production systems? No. Caught pre-release. Damage contained.
• Is this a one-time event? No. The Open Source Security Foundation warned the XZ pattern “may not be an isolated incident” and documented similar social engineering attempts against JavaScript projects.
• Is the ghost code problem being fixed? Slowly. The $12.5M Linux Foundation grant is real but represents a fraction of what the ecosystem needs.
• Does cybersecurity spend hold during recessions? Historically yes. Security is non-discretionary for regulated industries.
• Which name has the most near-term valuation cushion? Fortinet at ~30x forward earnings. SentinelOne at ~3.5x revenue is the higher-risk speculative position.
• Is AI making this better or worse? Both. AI is accelerating vulnerability discovery. It is also accelerating attack sophistication. The arms race benefits security vendors, not attackers.

The part people skip when they read about XZ Utils is the most important part: the backdoor was not caught by any formal security audit, automated scanning tool, or supply chain monitoring system. It was found because one engineer noticed SSH was running half a second slower than normal while benchmarking something completely unrelated.

If Andres Freund had been busy that afternoon, this conversation would be very different.

That fragility is not going away. The demand for companies that can systematically detect what individuals stumble upon by accident – that is the long-term investment case here. Everything else is just details.

Stay cheap,
The Cheap Investor