XZ was a utility that a single person developed. Someone named Jian Tam submitted improvements to the code which Colin, the original developer implemented. Not long after, some previously unknown accounts popped up to report bugs and submit feature requests to Collin, putting pressure on him to take on a helper in maintaining the project. Jia Tan was the logical candidate
Jia Tan become more and more involved and, we now know, introduced a carefully hidden weapon into the software's source code. The revised code secretly alters another piece of software, a ubiquitous network security tool called OpenSSH, so that it passes malicious code to a target system. As a result, a specific intruder will be able to run any code they like on the target machine.
The latest version of XZ Utils, containing the backdoor, was set to be included in popular Linux distributions and rolled out across the world. However, it was caught just in time when a Microsoft engineer investigated some minor memory irregularities on his system.
Here’s the fun fact. The engineer noticed that his ssh sessions were half a second slower. He investigated and found the malicious code and was able to stop the push to all Linux distros
Adam
npub1lm…93ymh
2024-04-05 10:22:11
in reply to nevent1q…38v5
Author Public Key
npub1lmxnz7j58s9xy4g34und9mme8sd7rcx826y5202eg36mptk5dcdsd93ymhPublished at
2024-04-05 10:22:11Event JSON
{
"id": "0a01569a5121b10ccaa4cfdbccbfec4f014af54dd033891baab1502899410f4d",
"pubkey": "fecd317a543c0a625511af26d2ef793c1be1e0c75689453d594475b0aed46e1b",
"created_at": 1712312531,
"kind": 1,
"tags": [
[
"e",
"b5e7f646ff841ea843663a9135f26a07ffd148ad9bef5a4a0126d70780dfd1d5"
],
[
"p",
"1c9dcd8fd2d2fb879d6f02d6cc56aeefd74a9678ae48434b0f0de7a21852f704"
]
],
"content": "XZ was a utility that a single person developed. Someone named Jian Tam submitted improvements to the code which Colin, the original developer implemented. Not long after, some previously unknown accounts popped up to report bugs and submit feature requests to Collin, putting pressure on him to take on a helper in maintaining the project. Jia Tan was the logical candidate\n\nJia Tan become more and more involved and, we now know, introduced a carefully hidden weapon into the software's source code. The revised code secretly alters another piece of software, a ubiquitous network security tool called OpenSSH, so that it passes malicious code to a target system. As a result, a specific intruder will be able to run any code they like on the target machine.\n\nThe latest version of XZ Utils, containing the backdoor, was set to be included in popular Linux distributions and rolled out across the world. However, it was caught just in time when a Microsoft engineer investigated some minor memory irregularities on his system.\n\nHere’s the fun fact. The engineer noticed that his ssh sessions were half a second slower. He investigated and found the malicious code and was able to stop the push to all Linux distros",
"sig": "d29d65f7f863f549052e918700e8126d8b9e5b5c06a2856bca94c173ef7b24a241e24d7841c296ea37187dc552750a7f95c1b54fc9bd687cb97a92a0a1d260d2"
}