Okay, let's start with a meme,
In this meme, the random person is Lasse Collin from Finland who has been maintaining the project since 2009. The project itself is called XZ Utils.
What is XZ Utils?
XZ Utils is an open-source data compression utility that provides lossless data compression on virtually all Unix-like operating systems, including Linux. It provides critical functions for compressing and decompressing data during all kinds of operations. XZ Utils also supports the legacy .lzma format, making this component even more crucial.
The XZ compression algorithm is widely used in the Unix-based computing ecosystem. Even Windows systems rely on it indirectly because many servers run on Unix-based operating systems.
The Problem
A vulnerability in XZ Utils could enable a hacker to gain access to virtually any server or computer running Linux. Secure Shell (SSH), a common method for remotely accessing Linux systems, is closely linked to XZ Utils in many Linux distributions, particularly those based on Debian. If someone were to exploit this connection by inserting malicious code (a backdoor) into XZ Utils, they could potentially gain access to Linux systems running SSH.
The Long Con
In 2021, an individual using the username JiaT75 made their first known contribution to an open-source project. The following year, JiaT75 submitted a patch to the XZ Utils mailing list, and shortly after, a previously unknown participant named Jigar Kumar joined the discussion and argued that Lasse Collin, the longtime maintainer of XZ Utils, had not been updating the software often or quickly enough. Kumar, with the support of Dennis Ens and several other people who had no prior presence on the mailing list, pressured Collin to bring on an additional developer to maintain the project. It is also important to note that Collin was going through a difficult mental state, which had impacted his ability to update XZ Utils as frequently as desired.
This appears to have been a social engineering setup, as Collin then brought on JiaT75 as a co-maintainer, believing them to be trustworthy based on their submitted patches.
In January 2023, JiaT75, now using the name Jia Tan, made their first commit to XZ Utils. In the following months, Tan became increasingly involved in XZ Utils affairs, including replacing Collin's contact information with their own on oss-fuzz, a project that scans open-source software for vulnerabilities. Tan also requested that oss-fuzz disable the ifunc function during testing, a change that prevented it from detecting the malicious changes Tan would soon make to XZ Utils.
In February of this year, Tan issued commits for versions 5.6.0 and 5.6.1 of XZ Utils, implementing a backdoor in the updates. These updates eventually made their way into the unstable releases of Fedora Rawhide, Fedora 41, OpenSUSE, and Kali. If the backdoor had not been discovered, these compromised versions of XZ Utils could have been included in the stable releases of these operating systems, potentially granting the attacker access to any system running those distributions.
How it was Found
Andres Freund, a developer and engineer working on Microsoft's PostgreSQL offerings, was recently troubleshooting performance problems on a Debian system experiencing high CPU usage and errors with the valgrind memory monitoring tool during SSH logins. Through careful investigation, Freund eventually discovered that the issues were caused by the updates made to XZ Utils.
Freund then disclosed the presence of the intentionally planted backdoor in the XZ Utils compression software on the Open Source Security List.
At this time, little is known about the identity of JiaT75, also known as Jia Tan. It is speculated that they may be a nation-state actor, but this remains unconfirmed.
Anyway, stay cybersafe.