Really good timeline of what is known to have happened so far. It looks like the rogue developer deliberately introduced a vulnerability in other package, too - I haven’t seen anybody else mention this.
Reading the dev’s GitHub history, they’ve been making changes to other open source projects too around compression. It also appears they/somebody involved has other accounts, too.
https://boehs.org/node/everything-i-know-about-the-xz-backdoor
Kevin Beaumont /
npub176…fkwlw
2024-03-30 12:01:51
in reply to nevent1q…m2vp
Author Public Key
npub176rs4lx7gjqwepgg75psfpv7zjj3xz0lyj4n7rux93ftm390sars6fkwlwSeen on
wss://relay.noswhere.comPublished at
2024-03-30 12:01:51Event JSON
{
"id": "100bbc910fe61f894aac54866308a8170c2f7c1bff6ebc38a5a000d73fb0071a",
"pubkey": "f6870afcde4480ec8508f50304859e14a51309ff24ab3f0f862c52bdc4af8747",
"created_at": 1711800111,
"kind": 1,
"tags": [
[
"e",
"5332436b98e97094a15195825e159eb9c8fa691cbe1bd8c8291e9d74e3558d91",
"wss://relay.mostr.pub",
"reply"
],
[
"proxy",
"https://cyberplace.social/users/GossiTheDog/statuses/112184532084137978",
"activitypub"
]
],
"content": "Really good timeline of what is known to have happened so far. It looks like the rogue developer deliberately introduced a vulnerability in other package, too - I haven’t seen anybody else mention this. \n\nReading the dev’s GitHub history, they’ve been making changes to other open source projects too around compression. It also appears they/somebody involved has other accounts, too. \n\nhttps://boehs.org/node/everything-i-know-about-the-xz-backdoor",
"sig": "89a878f0681ca7329696f09375f5e3f20a8052259e794211602b26048b44f8187163835ca940e46ffd6f5bc7f547f546dbea74c266728c4f1f35df380bd2e235"
}