• Research
  • Intelligence Blogs
The XZ Backdoor issue triggered by one untrusted maintainer

🔐 The XZ Backdoor issue triggered by one untrusted maintainer

Threat Intelligence Center TALON has published a detailed analysis report on a supply chain attack targeting XZ Utils.

- On March 29, 2024, a supply chain attack targeting XZ Utils, an open-source compression utility used in Unix and Windows operating systems, occurred. This attack specifically involved backdoors inserted in versions 5.6.0 to 5.6.1 of XZ Utils, affecting the upstream repository rather than downstream like those of Linux distributions.

- The user JiaT75, who had been contributing to the XZ repository since February 2022 and gained maintainer role based on earned trust, released the compromised versions containing malware in a tarball on February 24, 2024. The malware was distributed as a library, embedding itself into executables requiring liblzma.

- The malware performed malicious activities by hooking the GOT of RSA_public_decrypt to execute arbitrary commands after verifying signatures received by sshd.

- While it's possible that JiaT75’s account was hijacked and misused for the attack, the likelihood of a long-term effort required for such a backdoor insertion is high.

- This incident highlights the vulnerabilities inherent in critical large-scale infrastructure projects depending on a small number of contributors in open-source projects. It has sparked discussions about the current issues in the open-source ecosystem, including compensation for contributors and securing more reviewers.

🧑‍💻 Report Author: Minyeop Choi, Hosu Choi, Sojun Ryu | S2W TALON

👉 Learn more:

If you have any questions about our cybersecurity reports, please don't hesitate to contact us.