This vulnerability in the XZ compression library, known as CVE-2024-3094, is a deliberate attack on the software supply chain, particularly within open-source ecosystems. The backdoor was introduced by Jia Tan, a maintainer of the XZ library, who had contributed to the project for over two years and gained access to merge his own work. The vulnerability was discovered by Andres Freund, a developer at Microsoft, who noticed unusual CPU usage and delay in SSH logins. The exploit involved manipulative contributions and patches by new, suspicious accounts over several years, leading to a backdoor that compromised the tool's security. This incident highlights vulnerabilities in open-source project management and the importance of thorough code review and maintainer support. The affected systems include Linux distributions such as Fedora 41 and Rawhide, macOS versions, and Kali Linux users who updated within a specific March window. Bug bounty hunters/customers are advised to check if they're vulnerable and take necessary precautions, including downgrading to a secure version of the XZ Utils package. Bugcrowd's internal security team was unaffected, but the company is preparing for potential large-scale critical findings and has published its Software Bill of Materials code in an open-source capacity. The incident serves as a wake-up call for the tech community to reassess and strengthen security practices surrounding open-source software.