Open Source 2024-02-24 · 34 days ·Backdoor, Remote Code Execution

xz release tarballs hid liblzma backdoor

An attacker using the Jia Tan persona gained xz utils maintainer access after a long social-engineering campaign, then shipped official 5.6.0 and 5.6.1 release tarballs that hid a liblzma backdoor in test files and m4 build logic.

Story

The xz utils compromise was not a smash-and-grab package takeover. An attacker operating as Jia Tan spent years becoming a trusted contributor, obtained release authority, and then used that position to publish official source tarballs for versions 5.6.0 and 5.6.1. The malicious release path mattered: parts of the backdoor lived in generated tarball content and obfuscated test files, while GitHub's auto-generated source archives did not contain the same complete payload.

The backdoor activated only under narrow build and runtime conditions, including x86-64 Linux, gcc, GNU ld, glibc-like environments, and Debian or RPM package-build signals. When the resulting liblzma was pulled into patched OpenSSH builds through libsystemd, it could intercept sshd's authentication path and respond to an attacker-controlled key with hidden command execution.

Andres Freund caught the attack by following performance anomalies, valgrind complaints, and unexpected liblzma CPU time in sshd on Debian unstable. That chance discovery kept the backdoor mostly inside unstable, testing, and pre-release distribution channels rather than stable Linux fleets. The incident exposed both the reach of small infrastructure libraries and the weakness of maintainer trust as a single control.

The response required more than revoking one package version. Distributions had to check whether they built from the release tarballs, whether downstream patches linked sshd through liblzma, and whether any pre-release or testing systems had run the affected builds before the public disclosure.

Affected Artifacts

xzutils

github · tukaani.org · repository · Source Archive

Observed: 2024-02-24 to 2024-03-29
Compromised Versions: 5.6.0

5.6.1
Fixed: Not listed
Hashes: sha256:64c34a523acb4925cf066c8e9ac66d53b0e7456e14364d12186616abc1e3c7ce

sha256:ae2c4f079373aca8bcaf96225defedc0db2274686bcbec5f9e2d2ba344569345
Evidence: distribution: github.com/tukaani-project/xz/releases/download/v5.6.0/xz-5.6.0.tar.gz, distribution: github.com/tukaani-project/xz/releases/download/v5.6.1/xz-5.6.1.tar.gz, mirror: github.com/tukaani-project/xz/tree/release-5.6.1, mirror: research.swtch.com/xz-backdoor , +9 more

Incident Context

Motive: Espionage Strategic Advantage
Attribution: Persona
Cause: Social Engineering
Transitive: No
Actor: Jia Tan persona

External References

NVD: CVE-2024-3094nvd.nist.gov
backdoor in upstream xz/liblzma leading to ssh server compromiseopenwall.com
Timeline of the xz open source attackresearch.swtch.com
The xz attack shell scriptresearch.swtch.com
Inside the failed attempt to backdoor SSH globally - that got caught by chancedoublepulsar.com
Reported Supply Chain Compromise Affecting XZ Utils Data Compression Libraryweb.archive.org

Source record: oss/attacks/xzutils/meta.yaml