Backdoor in XZ Utils allows unauthorized root access

WIRED April 2, 2024, 10:00 AM UTC

Summary: A backdoor was discovered in XZ Utils, a widely used data compression utility on Linux systems. Malicious code in versions 5.6.0 and 5.6.1 allowed unauthorized access with root privileges. The backdoor was part of a sophisticated supply chain attack, with the perpetrator, Jia Tan, infiltrating the project over years. The backdoor enabled the execution of malicious commands through SSH. The incident was described as a nightmare scenario by experts.

Full article

Article metrics

Also covered in:

Andres Freund prevented cybersecurity breach in XZ Utils software (The Hindu)
Critical XZ Utils vulnerability allows unauthorized system access (Help Net Security)
Critical xz package vulnerability discovered on Debian, CVE-2024-3094 (TechRadar)
Linux narrowly avoided cyber attack from XZ Utils backdoor (The Verge)
Backdoor discovered in XZ Utils by Microsoft developer (The Intercept)
Critical XZ Utils vulnerability (CVE-2024-3094) compromises Linux systems (Help Net Security)
Backdoor found in xz Utils for Linux systems (Ars Technica)
Critical security flaw in xz-utils threatens Linux and macOS (Security Boulevard)
XZ Utils compromised by maintainer "Jia Tan." (Help Net Security)
Backdoor in XZ Utils poses security risk in Linux (Nextgov/FCW)
Free online scanner detects XZ Utils backdoor in Linux (TechRadar)
Critical Linux vulnerability; update XZ Utils before 5.6.0 (IT World Canada)
Supply chain attack targets XZ Utils in Linux distributions (Cybersecurity Dive)
Andres Freund uncovers sabotage in XZ Utils, preventing crisis (The Japan Times)
Malicious code found in XZ Utils on Good Friday (The Guardian)
Volunteer engineer finds cybersecurity threat in XZ Utils (The Japan Times)
XZ Utils backdoored for covert SSH access on Linux (Help Net Security)
Malicious code in xz libraries poses security threat (The New Stack)
Backdoor in xz compression utility version 5.6.0 discovered (SC Media)
Backdoor found in xz Utils 5.6.0/5.6.1, affecting Linux distributions (Ars Technica)