XZ Opensource Supply Chain Threat Intelligence Brief April 2024

This report was published by Cyber Cert Labs, a friend of the hive. Included below is the executive summary, whereas the full report can be downloaded at the end of the page. Interested in making a contribution yourself? Check our publication guidelines, and make a request here. 

Executive summary

On March the 29th a Microsoft engineer accidentally discovered a backdoor that had been intentionally added to XZ utils software project, an open-source data compression utility that is used in almost all Linux distributions. The backdoor had been deliberately planted by a developer in the project. This developer had joined the project two years earlier and over the course of the two years earned the trust of the project maintainer by contributing bug fixes and code improvements to the project. Leveraging this trust and having been given the ability to directly approve code changes to the project, the developer inserted the backdoor in February of this year.

The investigation is still in its early stages, but already there are indications that the level of investment in terms of time and the sophisticated nature of the backdoor indicate that this may be a nation state effort. This is another software supply chain attack that is consistent with a recent pattern of planting backdoors into commonly used software with the aim of compromising organisations that use the tainted software.