In late March 2024, the open source community discovered a backdoor in XZ Utils, a suite of tools that use the xz compression algorithm. The xz backdoor was embedded inside liblzma, and took effect when liblzma was used in OpenSSH, a common remote-login tool. You can read about this extensively in many places elsewhere. Since then, many people leveraged the xz backdoor to highlight their favorite systemic issue in open source.| dadrian.io
In this article we analyze social engineering aspects of the XZ backdoor incident. Namely pressuring the XZ maintainer to pass on the project to Jia Cheong Tan, and then urging major downstream maintainers to commit the backdoored code to their projects.| securelist.com