The most advanced supply chain attack ever found.

The XZ exploit is a clever supply chain attack, placing a RCE in sshd using a vulnerability in XZ, a compression library that many Linux distributions call when running OpenSSH (sshd -> libsystemd (for systemd notifications) -> liblzma (for logging)). It was discovered by Andres Freund when he noticed that sshd was running with abnormally high CPU usage.

The vulnerability was submitted by Jia Tan, a maintainer of XZ project who had been an active contributor since 2021. The vulnerability was extremely obfuscated. Read the original backdoor report by Andres Freund for more details on this.

Maintainers

There are two maintainers of the XZ projects, Jia Tan and Lasse Collin. Lasse Collin is the original author of the XZ Utils library, whereas Jia Tan has only been a maintainer since 2022.

Tan appears so have little to no online footprint prior to 2021 when they started making useful contributions to XZ. It is speculated that Jia Tan is an invented persona.

He has been part of the xz project for 2 years, adding all sorts of binary test files, and to be honest with this level of sophistication I would be suspicious of even older versions of xz until proven otherwise.

Richard Jones

Features

Oddities

If you discover a security vulnerability in this project please report it privately. Do not disclose it as a public issue. This gives us time to work with you to fix the issue before public exposure, reducing the chance that the exploit will be used before a patch is released.

Discovery

I was doing some micro-benchmarking at the time, needed to quiesce the system to reduce noise. Saw sshd processes were using a surprising amount of CPU, despite immediately failing because of wrong usernames etc. Profiled sshd, showing lots of cpu time in liblzma, with perf unable to attribute it to a symbol. Got suspicious. Recalled that I had seen an odd valgrind complaint in automated testing of postgres, a few weeks earlier, after package updates.

Really required a lot of coincidences.

Andres Freund (a Postgres developer at Microsoft)

As noted by nurple on HN, this exploit was found for similar reasons to Ken Thompson's supply chain exploit was detected. Strange performance sparking curiosity.