Editor’s Note: Linking this very important post-mortem of how a malicious group of hackers created a backdoor on an important OS repository. Full source is at the bottom. Thanks to Kevin G. for sending this to us.
Over a period of over two years, an attacker using the name “Jia Tan” worked as a diligent, effective contributor to the xz compression library, eventually being granted commit access and maintainership. Using that access, they installed a very subtle, carefully hidden backdoor into liblzma, a part of xz that also happens to be a dependency of OpenSSH sshd on Debian, Ubuntu, Fedora, and other systemd-based Linux systems. That backdoor watches for the attacker sending hidden commands at the start of an SSH session, giving the attacker the ability to run an arbitrary command on the target system without logging in: unauthenticated, targeted remote code execution.
The attack was publicly disclosed on March 29, 2024 and appears to be the first serious known supply chain attack on widely used open source software. It marks a watershed moment in open source supply chain security, for better or worse.
This post is a detailed timeline that I have constructed of the social engineering aspect of the attack, which appears to date back to late 2021. Key events have bold times.
Corrections or additions welcome on Bluesky, Mastodon, or email.
