XZ Utils backdoor (CVE-2024-3094)
A multi-year social-engineering campaign by a maintainer persona named 'Jia Tan' planted a hidden SSH backdoor in the XZ Utils compression library (liblzma) versions 5.6.0 and 5.6.1, scoring CVSS 10.0 — caught by chance days before it could reach stable Linux releases worldwide.
- Victim
- XZ Utils / Linux open-source ecosystem