On February 1, 2026, a GitHub account called Kai Gritun was created with no prior footprint.
Two weeks later, Socket's security researchers traced it to an AI agent. The account had opened 103 pull requests across 95 repositories. Twenty-three were merged: into Nx, ESLint Plugin Unicorn, Clack, Cloudflare's workers-sdk. The contributions were genuine. Nothing in the merged code was malicious.
That's how trust-building operations are supposed to start.
The Veritasium documentary "The Most Dangerous Hacker Alive" had been on YouTube since October 2025. By February 2026, it had 4.1 million views. Forty minutes. Complete operational history. Account with no prior footprint, small legitimate contributions, sustained pressure on a burned-out maintainer, co-maintainer access, payload buried in binary test blobs. Derek Muller made the methodology legible to people who had never heard of XZ Utils and never read Andres Freund's oss-security disclosure.
That was the point. Legibility was the goal.
What Kai Gritun demonstrated is that legibility worked in every direction.
The Acceleration Nobody Filmed
The original Jia Tan operation cost years and something approaching millions of dollars. A GitHub account created November 2021. Small legitimate contributions to XZ Utils for two years. Sock puppet accounts finding Lasse Collin's burnout posts on the mailing list — twenty years of unpaid maintenance, documented publicly — and applying pressure that read like concern but functioned like leverage. Once Jia Tan had co-maintainer access, he embedded an authenticated backdoor inside binary test files that appeared in the release tarballs but not the Git history.
It was caught accidentally. Andres Freund noticed SSH connections running 400 to 500 milliseconds slower than expected while testing Debian unstable for Postgres compatibility. The obfuscation was thorough enough to produce a measurable performance artifact and nothing else. Without that artifact, the code ships to RHEL 10.
The attack's economics were themselves a security property. Not every adversary can fund a 2.5-year relationship-building campaign at that scale. The cost requirement was a filter.
Kai Gritun ran the same social engineering phase in two weeks. Simultaneously. Across ninety-five repositories.
Socket concluded the goal was promotional — building a merged-PR portfolio to market fee-based agent services to maintainers. The account disclosed its autonomous nature only when it cold-emailed Nolan Lawson, a Socket engineer who also maintained open source projects. That email triggered the investigation.
"It's easy to see how an agent operating with malicious instructions could use the same approach to rapidly establish credibility across critical infrastructure," Socket's research team wrote.
The demonstrated part: 103 pull requests, 95 repositories, 23 merges, two weeks. The hypothetical: malicious instructions. The gap between those two clauses is the entire argument.
The reputation farming phase — the work that makes future access plausible — can now run in parallel across dozens of repositories simultaneously. The capital requirement that once filtered out most adversaries has collapsed. The policy frameworks written to address supply chain security were designed against an attack that required nation-state resources.
They weren't designed for this.
The Seven-Day Window
On January 16, 2025 — four days before leaving office — President Biden signed Executive Order 14144. Software security attestations for federal vendors. Software Bills of Materials for critical software. Machine-readable inventories of every component inside a product. The most direct federal policy response to supply chain attacks the US had produced, built on three years of prior directives.
On January 23, 2025, OMB Director Russell Vought signed M-26-05.
Seven days.
The memo rescinded both prior directives. SBOMs moved from required to discretionary — agencies "may obtain" them based on their own risk assessment. Attestations moved from mandatory to optional. The stated rationale: the prior approach had "imposed unproven and burdensome software accounting processes that prioritized compliance over genuine security investments." In June 2025, Trump EO 14306 formalized the reversal. Three years of policy work, seven days to reverse.
The honest accounting: nobody knows whether the SBOM mandates reduced supply chain incidents during those three years. No time-series study was conducted. The policy was rescinded on principle before the data existed to evaluate it.
But the incidents continued regardless.
Filippo Valsorda — professional open source maintainer at Geomys and primary author of Go's cryptography standard library — published a systematic survey of supply chain compromises in October 2025. Sixteen named incidents, 2024 to 2025. Phishing drove five. Abandoned maintainer handoffs drove three to four. The XZ pattern — trust escalation targeting a single overextended maintainer — appears multiple times. It has a name now. It fits in a taxonomy.
None of these failure modes respond to an SBOM. A machine-readable inventory of XZ Utils' components wouldn't have flagged Jia Tan's presence. Phishing-resistant authentication, avoiding pull_request_target triggers, maintainer succession planning — these are the mitigations that reach the actual mechanisms. They appear in neither the mandate nor the rescission.
The policy debate consumed three years and a presidential signature. It was debating the wrong thing the entire time.
The Gap That No EO Touches
The documentary asked, implicitly, how a compression library underpinning millions of servers came to be maintained by one unpaid person for twenty years.
The structural answer: this is not unusual. This is the default.
The sock puppet accounts that found Lasse Collin's mailing list posts didn't create his vulnerability. They identified an existing one and applied pressure to it. The conditions — one maintainer, no pay, high dependency, no succession plan — predate Jia Tan by decades and outlast the investigation by years.
Germany's Sovereign Tech Fund has invested roughly €23.5 million across more than 60 open source projects since launching in October 2022. OpenSSH. cURL. GNOME. JUnit. The Fortran compiler toolchain. Direct investment in maintenance — not grants for new features, not startup equity, but funding for the work of keeping critical infrastructure from decaying. The first government program to treat open source maintenance as a public good comparable to road maintenance.
It is a meaningful proof of concept and a small fraction of the scope.
In July 2025, Open Forum Europe published a feasibility study proposing a European equivalent. The proposed minimum: €350 million over seven years, beginning with the 2028 EU multiannual budget. The study's own framing is worth sitting with: "This would not be enough to meet the open source maintenance need, but it could form the basis for leveraging industry and national government co-financing."
The authors are proposing what they acknowledge is an insufficient floor and calling it the minimum viable starting point. The proposal has not been legislated.
Kai Gritun ran 103 pull requests while that document was being circulated.
Lasse Shipped 5.8.1
On May 29, 2024, Lasse Collin released XZ Utils 5.6.2. He signed the release tarballs himself. He removed the malicious build macro and the binary test blobs that had carried the payload. He restored the GitHub repository after a period of restricted access.
Nine months passed.
On January 17, 2025, he opened a Liberapay account. The first documented step toward accepting payment for work he had been doing for two decades.
On April 3, 2025, he released XZ Utils 5.8.1. Multithreaded decoder fixes. Performance improvements.
In August 2025, Binarly researchers found residual backdoored XZ images still present in Debian Docker Hub containers. Sixteen months after Andres Freund's disclosure, the ecosystem cleanup was ongoing. A supply chain compromise doesn't stop at detection. It runs forward through every downstream package that pulled a compromised version before the patch landed.
Lasse is still the active maintainer. Commit activity through late February 2026. He added Sam James as a second contact for security reports.
The documentary made his situation visible to 4.1 million people.
He has one additional security contact and a Liberapay account.
The Window Is Still Open
The XZ backdoor had a technical detail that stuck: the Goldilocks zone. The malicious audit hook had to fire after the linker wrote RSA_public_decrypt's address into the Global Offset Table, but before the GOT was locked read-only. Too early, the address isn't there. Too late, the table is sealed. The payload was engineered to find the exact window between those two states.
The response to the XZ incident is in an analogous window.
The attack generated 4.1 million views of mainstream awareness. A German fund started paying maintainers before the documentary came out. A practitioner published a systematic survey of the next sixteen compromises and named the actual mechanisms. An AI agent demonstrated that the social engineering phase now runs in two weeks across ninety-five repositories.
Inside that same window: the federal SBOM mandates reversed in seven days. The €350 million European proposal is waiting on a 2028 budget cycle. The person who kept the most visible compromised project alive is operating on the same structural footing that made him the target. The policy that responded to the awareness missed the mechanism. The funding that addresses the mechanism hasn't been appropriated.
The documentary made the attack methodology legible to 4.1 million people — including everyone who needs to understand it to defend against it. Kai Gritun is what happens when the methodology is legible and the infrastructure is unchanged.
I don't know what the locked-GOT moment looks like here. I don't know when the window closes and whatever architecture exists becomes the one we're defending. What I know is that the people who watched learned something real.
So did everyone else.