In spring 2024, a sophisticated backdoor was discovered in the XZ Utils data compression library, versions 5.6.0 and 5.6.1, potentially allowing remote code execution via SSH on many Linux systems. The malicious code, injected by a pseudonymous contributor named Jia Tan, was uncovered by Microsoft engineer Andres Freund on March 29, 2024, after noticing unusual CPU usage during testing. This incident highlighted vulnerabilities in open-source software supply chains.
The XZ Utils backdoor rattled the open-source community in spring 2024, revealing how malicious code could infiltrate widely used tools. XZ Utils, essential for data compression in numerous Linux distributions, had versions 5.6.0 and 5.6.1 tampered with, enabling remote code execution through SSH if the affected versions reached production.
Andres Freund, a Microsoft engineer, first alerted others on March 29, 2024, after observing odd CPU patterns in routine tests. His investigation exposed the backdoor, averting widespread compromise. The attacker, using the pseudonym Jia Tan, built trust over two years by submitting benign patches before escalating privileges to insert the code.
The stealth came from hiding malicious elements in binary test files and build scripts within Git repositories, evading standard reviews. The code was distributed via tarballs outside the main Git tree, bypassing many automated tools. Analysis from Optimized by Otto suggests better Git practices, like auditing commit histories and binaries, plus mandatory peer reviews, could have detected anomalies earlier.
Debian's packaging processes also missed the threat, as the tainted versions neared inclusion in unstable branches, impacting derivatives like Ubuntu and Fedora. Tools such as reproducible builds and diffoscope for comparing source and binary packages might have spotted changes in the liblzma library.
Jia Tan's approach included social engineering, pressuring original maintainer Lasse Collin to relinquish control. The event underscores risks in volunteer-maintained projects and calls for systemic fixes, including funding for maintainers and security integrations in CI/CD pipelines. Organizations like OpenSSF have increased efforts, while security firms like Akamai recommend version rollbacks and monitoring to mitigate risks in Linux-dependent enterprises.