Backdoor in XZ Utils allows unauthorized root access

WIRED April 2, 2024, 10:00 AM UTC

Summary: A backdoor was discovered in XZ Utils, a widely used data compression utility on Linux systems. Malicious code in versions 5.6.0 and 5.6.1 allowed unauthorized access with root privileges. The backdoor was part of a sophisticated supply chain attack, with the perpetrator, Jia Tan, infiltrating the project over years. The backdoor enabled the execution of malicious commands through SSH. The incident was described as a nightmare scenario by experts.

Full article

Article metrics
Significance7.2
Scale8.0
Magnitude9.0
Potential9.5
Novelty8.5
Actionability7.0
Immediacy9.5
Positivity1.0
Credibility9.5

Also covered in:

[6.6]
Andres Freund prevented cybersecurity breach in XZ Utils software (The Hindu)
[6.6]
Critical XZ Utils vulnerability allows unauthorized system access (Help Net Security)
[6.3]
Critical xz package vulnerability discovered on Debian, CVE-2024-3094 (TechRadar)
[6.2]
Linux narrowly avoided cyber attack from XZ Utils backdoor (The Verge)
[6.1]
Backdoor discovered in XZ Utils by Microsoft developer (The Intercept)
[6.1]
Critical XZ Utils vulnerability (CVE-2024-3094) compromises Linux systems (Help Net Security)
[5.9]
Backdoor found in xz Utils for Linux systems (Ars Technica)
[5.9]
Critical security flaw in xz-utils threatens Linux and macOS (Security Boulevard)
[5.9]
XZ Utils compromised by maintainer "Jia Tan." (Help Net Security)
[5.9]
Backdoor in XZ Utils poses security risk in Linux (Nextgov/FCW)
[5.9]
Free online scanner detects XZ Utils backdoor in Linux (TechRadar)
[5.8]
Critical Linux vulnerability; update XZ Utils before 5.6.0 (IT World Canada)
[5.7]
Supply chain attack targets XZ Utils in Linux distributions (Cybersecurity Dive)
[5.6]
Andres Freund uncovers sabotage in XZ Utils, preventing crisis (The Japan Times)
[5.6]
Malicious code found in XZ Utils on Good Friday (The Guardian)
[5.6]
Volunteer engineer finds cybersecurity threat in XZ Utils (The Japan Times)
[5.5]
XZ Utils backdoored for covert SSH access on Linux (Help Net Security)
[5.5]
Malicious code in xz libraries poses security threat (The New Stack)
[4.3]
Backdoor in xz compression utility version 5.6.0 discovered (SC Media)
[4.1]
Backdoor found in xz Utils 5.6.0/5.6.1, affecting Linux distributions (Ars Technica)