Security researchers have found XZ Utils backdoor in Debian images on Docker Hub.
The XZ Utils backdoor discovery in March 2024 sent shockwaves throughout the Linux community. A developer known as “Jia Tan” had spent two years building trust before inserting malicious code into widely used compression libraries.
The backdoor targeted SSH servers by hooking into OpenSSH’s cryptographic functions through the liblzma.so library. It’s reach was so broad that major Linux distributions, including Debian, Fedora, and OpenSUSE, inadvertently distributed the compromised packages to their users.
Within hours of discovery, security researchers scrambled to understand the full scope of the supply chain attack. Now, over a year later, new findings show the backdoor’s persistence in unexpected places.
What’s Happening: Binarly researchers found 12 official Debian Docker images on Docker Hub that still have the XZ Utils backdoor. These bad containers have been sitting there for over 15 months.
The infected images mostly come from March 11, 2024, when the backdoor was in play. They include different Debian versions like unstable, testing, and trixie that got built during the attack.
