April 12, 2024 at 11:39AM
XZ Utils backdoor test files were found in liblzma-sys, impacting version 0.3.2, but have since been removed in version 0.3.3. The backdoor allowed remote code execution through SSH and was attributed to a social engineering campaign targeting open-source projects. Multiple organizations have warned of the sophisticated methods used and emphasized the need for vigilance in open-source package maintenance.
Based on the meeting notes, it is clear that there was an incident involving the insertion of a backdoor into the liblzma-sys Rust crate associated with the XZ Utils software. The malicious test files were included in version 0.3.2 of the crate, which allowed for the circumvention of authentication controls within SSH and potentially allowed for remote code execution.
The backdoor was discovered and responsible disclosures were made, resulting in the removal of the malicious files in version 0.3.3 and the pulling of the previous version from the registry. There were coordinated social engineering campaigns to sneak the malicious code into the project, using phony developer accounts and pressure campaigns to influence the project’s maintainer.
The source code repository associated with XZ Utils has since been restored on GitHub, and it is suspected that the operation behind the backdoor insertion may be the work of a state-sponsored entity due to its planning and sophistication.
This incident serves as a reminder of the importance of vigilance in open-source package maintenance to prevent software supply chain attacks.