Malicious code was embedded in XZ Utils versions 5.6.0 and 5.6.1 impacting SSH, possibly allowing remote access or code execution.

🤔 Open Questions

• What does the payload do?
  • ⭐️ Filippo Valsorda - “It’s RCE, not auth bypass, and gated/unreplayable.”
  • Payload Analysis
  • oss-security - backdoor in upstream xz/liblzma leading to ssh server compromise
• What do we know about the threat actor?
  • ⭐️ The Mystery of ‘Jia Tan,’ the XZ Backdoor Mastermind - WIRED
  • Possible discussion with threat actor
  • Github Profile of backdoor committer
  • Attacking GitHub account commit history
  • thegrugq on attacker interactions with Fedora
• Are there confirmed exploitations?
  • No links yet.

📅 Timeline

2024-04-03

• ⭐️ The Mystery of ‘Jia Tan,’ the XZ Backdoor Mastermind - WIRED

2024-04-02

• ⭐️ research!rsc: The xz attack shell script

2024-04-01

• ⭐️ research!rsc: Timeline of the xz open source attack

2024-03-30

• ⭐️ Filippo Valsorda - “It’s RCE, not auth bypass, and gated/unreplayable.”
• ⭐️ XZ Backdoor: Times, damned times, and scams

2024-03-29

• Start Here: 🏁 oss-security - backdoor in upstream xz/liblzma leading to ssh server compromise
• ⭐️ Attack Timeline
• ⭐️ Backdoor in upstream xz/liblzma leading to SSH server compromise - Hacker News
• ⭐️ Payload Analysis
• Debian
• Xe Iaso
• Red Hat, CISA Warn of XZ Utils Backdoor - Decipher
• Reported Supply Chain Compromise Affecting XZ Utils Data Compression Library, CVE-2024-3094 - CISA
• Bug #2059417 “Sync xz-utils 5.6.1-1 (main) from Debian unstable …” : Bugs : xz-utils package : Ubuntu
• lcamtuf analysis