Originally reported by Sam Bent
TL;DR
A developer named Dylan managed to push age verification code into systemd, Ubuntu, and Arch Linux distributions by exploiting trust relationships with Microsoft employees who had commit access. Despite calling the effort 'hilariously pointless' in the pull request itself, systemd maintainer Lennart Poettering blocked attempts to revert the changes.
While no immediate security vulnerability, this represents a concerning supply chain compromise attempt targeting critical Linux infrastructure components. The successful merge into multiple distributions demonstrates potential weaknesses in open source review processes.
A developer identified as Dylan successfully executed a social engineering campaign targeting major Linux distributions, pushing age verification code into systemd, Ubuntu, and Arch Linux repositories. According to Sam Bent's analysis, the campaign exploited trust relationships and commit access privileges to introduce unwanted compliance mechanisms into critical open source infrastructure.
The campaign relied on social manipulation rather than technical exploitation. Dylan leveraged relationships with two Microsoft employees who possessed commit privileges across the targeted repositories. Despite explicitly describing the effort as "hilariously pointless" within the pull request documentation itself, the code was successfully merged into production branches.
The targeting of systemd represents a particularly concerning attack vector, given its central role in modern Linux distributions. Age verification mechanisms in core system components could establish precedents for broader compliance enforcement at the operating system level.
Following the successful merge, attempts to revert the age verification code encountered resistance from systemd maintainer Lennart Poettering, who personally blocked reversal efforts. This response pattern suggests potential coordination or institutional pressure beyond the individual developer's initial campaign.
The incident highlights vulnerabilities in distributed open source governance models, where trust relationships and commit privileges can be exploited to introduce unwanted functionality across multiple critical projects simultaneously.
The successful coordination across systemd, Ubuntu, and Arch Linux demonstrates the interconnected nature of Linux distribution supply chains. A single coordinated effort targeting key maintainers with cross-project access can affect millions of systems running these distributions.
The campaign's explicit acknowledgment of its "pointless" nature while still achieving successful deployment suggests either inadequate code review processes or deliberate institutional acceptance of compliance-focused modifications to core system components.
Originally reported by Sam Bent