XZ Utils is in practically every distribution of Linux and provides support for the xz compression format. Andres Freund, a developer at Microsoft, noticed that SSH was taking a fraction of a second longer to do its thing and discovered it was a result of changes made to XZ Utils and "took to the Open Source Security List to disclose the updates were the result of someone intentionally planting a backdoor in the compression software". That someone appears to be JiaT75, presumably a state sponsored actor who has been contributing to the XZ Utils project for many years, gained the trust of other contributors and made various changes to cover their tracks before adding a backdoor in February, which eventually made their way into various Linux distributions. The backdoor "allows someone with the right private key to hijack sshd, the executable file responsible for making SSH connections, and from there to execute malicious command". If it went undetected it would have been a disaster. It also raises questions about how the industry supports open source projects that turn into vital pieces of infrastructure and if any other projects are also in the midst of a long con social engineering attack.
If you liked this tiny snippet of content from The Sizzle - Australia's favourite daily email containing the latest tech news & bargains - then sign up for a 30-day free trial below. No credit card required! Learn more about The Sizzle at https://thesizzle.com.au