XZ Utils backdoor (CVE-2024-3094)

On 29 March 2024, Microsoft engineer Andres Freund posted to the oss-security mailing list that he had found a deliberately planted backdoor in XZ Utils, a near-ubiquitous data-compression library whose liblzma component is linked by countless Linux programs — including, indirectly, OpenSSH's sshd on several distributions. Assigned CVE-2024-3094 with the maximum CVSS score of 10.0, the backdoor was the culmination of a multi-year social-engineering campaign to take over a critical open-source project. It was caught by chance, days before the compromised versions reached widely-deployed stable releases.

How it was discovered

Freund, a PostgreSQL developer, noticed that SSH logins were taking roughly half a second longer than expected and that sshd processes were consuming unusual CPU. Profiling traced the overhead to liblzma. Investigating further, he uncovered obfuscated code that hooked into the symbol-resolution path used by sshd, allowing an attacker holding a specific Ed448 private key to achieve remote code execution by sending a crafted authentication payload — a near-invisible, key-gated remote backdoor.

The long game

The backdoor was not a one-off commit. Beginning around 2021, a maintainer persona named "Jia Tan" (JiaT75) built credibility in the XZ Utils community through legitimate contributions. Over 2022–2023, a chorus of apparent sock-puppet accounts pressured the project's overworked original maintainer to hand off responsibility, and Jia Tan was eventually granted commit and release authority.

The malicious payload was then introduced in stages. The dangerous code was not present in the human-readable Git repository; instead it was hidden in disguised binary "test" files and activated by a modified build-to-host.m4 that existed only in the release tarballs. During compilation on x86-64 Linux systems using glibc and GCC, the build logic extracted and injected the malicious object into liblzma — ensuring ordinary source review of the Git tree would not reveal it.

Impact and containment

• Affected versions were XZ Utils 5.6.0 (24 February 2024) and 5.6.1 (9 March 2024).
• The backdoor reached development and testing branches of Fedora Rawhide/40-beta, Debian unstable/testing, Kali Linux and Arch Linux — but most stable production releases had not yet shipped the compromised versions.
• CISA urged downgrading to a known-good release such as 5.4.6; Red Hat, SUSE and Debian reverted packages on disclosure day; Canonical delayed the Ubuntu 24.04 LTS beta as a precaution.
• A clean 5.6.2 was published in May 2024. No confirmed in-the-wild exploitation against production systems was established, because discovery preempted broad deployment.

Why it matters

XZ Utils is the defining case of open-source supply-chain subversion through trust, not technical exploitation. The attacker did not breach a server; they socially engineered their way into maintainership of a foundational library and weaponized the build pipeline so the backdoor never appeared in reviewed source. Its discovery hinged on a single engineer noticing a half-second of latency — a sobering reminder of how thin the margin was. The incident catalyzed durable change: scrutiny of maintainer burnout and single-maintainer projects, funding initiatives for critical open-source infrastructure, wider adoption of reproducible builds and tarball-vs-repository diffing, and renewed attention to the assumption that "many eyes" automatically make open-source code safe.