XZ repo backdoored and hacked!

Hi All!

This easter’s breaking news on Linux Security!

The well known and VERY often used XZ library has been “repo backdoored and hacked”!

XZ and the libraies are included in almost all distros, but also in commercial stuff with Linux inside (NAS, Routers and other hardware), as this particular library is often used for system backups!

→ Think global Cloud Providers and producers of hardware like NAS…

Probably a state actor (Russia or China) orchestrated this well done hack.
The guys name wasn’t John Doe or Joe! :slight_smile:

In the past here, I have warned about risks in underfunded / underresourced Projects, but also one-man shows in coding…

This is a primary example of such a case, and in an almost ubiquitious library used almost everywhere.
It’s not only and always about the quality of the code, there’s always the “Human” factor…

I do not blame the probably overworked developer of this project!

But no one noticed, cared or notified about this one - except for the Microsoft Software engineer who noticed a way too high CPU load and called the alarm! Kudos to the MS engineer for uncovering this!

My 2 cents

A good part of the story:
(Missing details on the project being under funded and not enough contributors).

More Infos (in german):