xzutils
xz utils backdoor via social engineering, build modification
A sophisticated multi-year social engineering campaign resulted in an attacker gaining maintainership of xz utils. Malicious code was hidden in test files within the source repository and injected into the build process (configure script via m4 macro) only under specific conditions (x86-64 Linux, building .deb/.rpm with gcc/glibc). The backdoor targeted the OpenSSH server (sshd) linked against the compromised liblzma, enabling potential remote code execution by attackers possessing a specific private key.
- Date
- 2024-02-24 to 2024-03-29
- Category
- Open Source
- Target Surface
- Revision control
- Insertion Phase
- CI/CD
- Impact
- Backdoor
- Cause
- Social Engineering
What Was Affected
Package
xzutils
LanguageShell
ComponentLibrary
Artifact typesource archive
Domain typecode host
Domain
github.com
Compromised Versions
- 5.6.0
- 5.6.1
Incident Context
- Motive
- Espionage/Strategic Advantage
- Attribution
- Nation-state
- Observed Duration
- 34 days
Evidence
Compromised Artifacts
- github.com/tukaani-project/xz/releases/download/v5.6.0/xz-5.6.0.tar.gz
- github.com/tukaani-project/xz/releases/download/v5.6.1/xz-5.6.1.tar.gz
Current Artifacts and Analysis
Indicators and Changes
Hashes
sha256:64c34a523acb4925cf066c8e9ac66d53b0e7456e14364d12186616abc1e3c7cesha256:ae2c4f079373aca8bcaf96225defedc0db2274686bcbec5f9e2d2ba344569345
Commits
9c45a8548eda244bd2127e2d2ae1a943c1affb1261af4bc0f8cc25805e459cfa2ff011c80095daa670e9b1960fa77c5e45e9fb60db65a8ef8e0f438e
External References
Source Data
Source record: oss/xzutils/meta.yaml