diff --git a/supply-chain-security/compromises/2024/xz.md b/supply-chain-security/compromises/2024/xz.md
new file mode 100644
index 000000000..6fec7a9c5
--- /dev/null
+++ b/supply-chain-security/compromises/2024/xz.md
@@ -0,0 +1,55 @@
+
+
+# Malicious maintainer introduces sophisticated backdoor in xz
+
+A backdoor was introduced in `xz`, a compression tool integral to various
+Linux distributions. Over the course of several years, a malicious actor
+or actors attained maintainer status and implanted a sophisticated,
+multi-stage backdoor that relied on the specific build processes of `xz`
+to activate, resulting in a modified `liblzma` library that can be used
+by any software linked against this library.
+
+## Impact
+
+The backdoor was discovered on March 28, 2024, specifically in versions
+5.6.0 and 5.6.1 of the XZ Utils package, and was assigned CVE-2024-3094.
+
+The compromised package was distributed across several Linux distributions
+including Fedora, Debian, Kali Linux, openSUSE, Arch Linux, and various
+package managers like Homebrew and pkgsrc.
+
+The apparent goal of this backdoor was to enable remote code execution
+via `sshd` on affected systems by intercepting the `RSA_public_decrypt()`
+function, looking for an attacker controlled key, and executing the payload
+via `system()` function.
+
+This incident achieved mainstream media coverage, driving further recognition
+of the threats involved in exploiting trust and lack of visibility into
+maintainer activities.
+
+The initial response guidance involved rolling back the version of `xz`,
+but this proved difficult in some ecosystems which had to intervene to
+create epochs. Also, for a number of days after the disclosure, the `xz`
+repository on GitHub was disabled which made it more cumbersome for the
+public to research what had happened.
+
+## Type of compromise
+
+While rooted on a malicious maintainer that attained this status by a
+long-term effort by an actor or actors to subvert the project, this incident
+also exhibits some attack chaining characteristics including the exploitation
+of trusted build and distribution mechanisms to deploy the backdoor. From
+the [Cloud Security Alliance](https://cloudsecurityalliance.org/blog/2024/04/25/navigating-the-xz-utils-vulnerability-cve-2024-3094-a-comprehensive-guide)
+report:
+
+> The backdoor was deliberately concealed by the developer. It gets incorporated
+into the binary during the RPM or DEB packaging process for x86-64 architecture,
+using gcc and gnu linker, under the guise of a "test" step.
+
+## References
+
+-
+-
+-
+-
+-
diff --git a/supply-chain-security/compromises/README.md b/supply-chain-security/compromises/README.md
index acc19f68c..29389619f 100644
--- a/supply-chain-security/compromises/README.md
+++ b/supply-chain-security/compromises/README.md
@@ -30,6 +30,7 @@ of compromise needs added, please include that as well.
| Name | Year | Type of compromise | Link |
| ----------------- | ------------------ | ------------------ | ----------- |
+| [xz backdoor incident](2024/xz.md) | 2024 | Malicious Maintainer | [1](https://cloudsecurityalliance.org/blog/2024/04/25/navigating-the-xz-utils-vulnerability-cve-2024-3094-a-comprehensive-guide) |
| [GitGot: using GitHub repositories as exfiltration store](2024/gitgot.md) | 2024 | Trust and Signing | [1](https://www.reversinglabs.com/blog/gitgot-cybercriminals-using-github-to-store-stolen-data) |
| [ManageEngine xmlsec dependency](2023/xmlsec-manageengine.md) | 2023 | Outdated Dependencies | [1](ttps://flashpoint.io/blog/manageengine-apache-santuario-cve-2022-47966) |
| [Retool Spear Phishing](2023/retool-portal-mfa.md) | 2023 | Dev Tooling | [1](https://www.coindesk.com/business/2023/09/13/phishing-attack-on-cloud-provider-with-fortune-500-clients-led-to-15m-crypto-theft-from-fortress-trust/) |
@@ -62,7 +63,7 @@ of compromise needs added, please include that as well.
| [Abusing misconfigured SonarQube applications](2020/sonarqube.md) | 2020 | Dev Tooling | [1](https://www.zdnet.com/article/fbi-hackers-stole-source-code-from-us-government-agencies-and-private-companies/), [2](https://www.ic3.gov/Media/News/2020/201103-3.pdf) |
| [Octopus Scanner](2020/octopus_scanner.md) | 2020 | Dev Tooling | [1](https://securitylab.github.com/research/octopus-scanner-malware-open-source-supply-chain),[2](https://threatpost.com/octopus-scanner-tentacles-github-repositories/156204/) |
| [NPM reverse shells and data mining](2020/nodejs.md) | 2020 | Dev Tooling | [1](https://www.bleepingcomputer.com/news/security/npm-nukes-nodejs-malware-opening-windows-linux-reverse-shells/) |
-| [Binaries of the CLI for `monero` compromised](2019/monero.md) | 2019 | Publishing Infrastructure | [1](https://web.getmonero.org/2019/11/19/warning-compromised-binaries.html), [2](https://github.com/monero-project/monero/issues/6151), [3](https://old.reddit.com/r/Monero/comments/dyfozs/security_warning_cli_binaries_available_on/) |
+| [Binaries of the CLI for `monero` compromised](2019/monero.md) | 2019 | Publishing Infrastructure | [1](https://web.getmonero.org/2019/11/19/warning-compromised-binaries.html), [2](https://github.com/monero-project/monero/issues/6151), [3](https://web.archive.org/web/20230630012925/https://old.reddit.com/r/Monero/comments/dyfozs/security_warning_cli_binaries_available_on/) |
| [Webmin backdoor](2019/webmin-backdoor.md) | 2019 | Dev Tooling | [1](https://www.zdnet.com/article/backdoor-found-in-webmin-a-popular-web-based-utility-for-managing-unix-servers/), [2](http://www.webmin.com/exploit.html) |
| [purescript-npm](2019/purescript-npm.md) | 2019 | Source Code | [1](https://www.npmjs.com/advisories/1082) and [2](https://www.npmjs.com/advisories/1082) |
| [electron-native-notify](2019/electron-native-notify.md) | 2019 | Source Code | [1](https://blog.npmjs.org/post/185397814280/plot-to-steal-cryptocurrency-foiled-by-the-npm), [2](https://komodoplatform.com/update-agama-vulnerability/)|