Malicious XZ Attack Planned for Years


The XZ Utils package is commonly found in Linux distributions.

The malicious code recently discovered in versions 5.6.0 and 5.6.1 of XZ Utils “appears to be the product of a carefully crafted supply chain attack that took several years to set up,” reports Lindsey O’Donnell-Welch.

“xz is a general purpose data compression format present in nearly every Linux distribution, both community projects and commercial product distributions, according to the Red Hat security alert issued March 29.

The code (CVE-2024-3094), found by Microsoft software engineer Andres Freund, could allow attackers to break sshd authentication and gain unauthorized access to impacted systems.

“It's hard to overstate the complexity of the social engineering and the inner workings of the backdoor,” notes Dan Goodin. But this graphic from Thomas Roccia helps visualize the extent of the efforts.

Read more at Duo Decipher and Ars Technica.



Related content

comments powered by Disqus
Subscribe to our ADMIN Newsletters
Subscribe to our Linux Newsletters
Find Linux and Open Source Jobs

Support Our Work

ADMIN content is made possible with support from readers like you. Please consider contributing when you've found an article to be beneficial.

Learn More”>


		<div class=