XZ Utils Backdoor - 2024

Backdoored compression library introducing SSH remote code execution risk

⚠️

Incident Intelligence

FikreSekhel Research is tracking this campaign as a software supply chain compromise involving install-time execution paths.

Supply Chain Compromise

A sophisticated software supply chain compromise targeted XZ Utils releases 5.6.0 and 5.6.1. The malicious code introduced a hidden backdoor affecting OpenSSH authentication paths on selected Linux distributions.

Severity Critical

Status

Ecosystem Linux

Affected packages 1

Primitive Release Artifact Manipulation

Attack surface Linux package distribution

Trust boundary Software repository -> Production server

Published 2024-03-29

Attack Path

Compromised package → npm install → Release Artifact Manipulation → Install-time execution → Credential exposure → CI/CD compromise

Technical Context

The attacker spent years building trust within the project before introducing malicious modifications into release artifacts. The payload targeted liblzma and interacted with OpenSSH execution paths under specific deployment conditions.

Observed Behavior

Compromised builds contained hidden logic capable of altering authentication behavior within affected OpenSSH environments.

Security Implication

Successful exploitation could enable unauthorized remote access to affected systems and compromise critical infrastructure.

Recommended Actions

Immediately downgrade affected versions, verify package integrity and review system exposure.

Severity	Package	Affected versions	CWE	Exploit maturity	Remediation
Critical	xz-utils Backdoored Release Introducing SSH Authentication Manipulation	5.6.0, 5.6.1	CWE-506	Observed In The Wild	Downgrade affected versions and verify package integrity.