Urgent Alert: Supply Chain Attack Targets XZ Utils with Hidden Backdoor
March 30, 2024
RedHat has issued an urgent security alert for a supply chain attack on XZ Utils, affecting versions 5.6.0 and 5.6.1.
Security expert Andres Freund discovered a backdoor in the library, which was hidden in obfuscated code and could execute malicious code using an RSA key.
An individual named 'Jia Tan' took control of the xz project, resulting in the adoption of compromised xz packages by Linux distributions and Homebrew.
The incident spotlights the vulnerability of small, critical open-source software libraries due to inadequate maintenance and community support.
CISA has released an alert, and xz project leader Lasse Collin is working to secure the project, while authorities investigate the attack.
Summary based on 6 sources
Get a daily email with more Tech stories
Sources

The Hacker News • Mar 30, 2024
Urgent: Secret Backdoor Found in XZ Utils Library, Impacts Major Linux Distros
lcamtuf’s thing • Mar 30, 2024
Technologist vs spy: the xz backdoor debate
404 Media • Mar 30, 2024
The Xz Backdoor Highlights the Vulnerability of Open Source Software—and Its Strengths
gynvael.coldwind//vx.log • Mar 30, 2024
xz/liblzma: Bash-stage Obfuscation Explained