Unveiling the Intricacies of a Sophisticated Supply Chain Attack: The xz Utils Incident

In what some argue was one of the most sophisticated and well-executed software supply chain attacks on open-source technology, new revelations continue to emerge.

On Friday, March 29, Andres Freund coincidentally discovered malicious code inserted into xz Utils, an open-source data compression utility widely employed across Linux and Unix-like operating systems. Andres noted in a separate post that he was troubleshooting performance issues affecting an SSH service on a Debian system. Specifically, SSH logins seemed to be consuming excessive CPU cycles, accompanied by errors flagged by valgrind.

Social Engineering at Play?

It appears that the malicious actor, referred to henceforth as JiaT75, had been operating behind the scenes for at least a few years. Around 2022, JiaT75 submitted a patch via the xz Utils mailing list. This submission seemed to trigger concerns from several users, who, interestingly, had no prior presence on the list, regarding the inadequate maintenance of the xz Utils project, such as the lack of updates.

Subsequently, it seems that JiaT75 was appointed as a maintainer for the xz Utils project in response to these concerns. A maintainer, essentially a contributor who leads an open-source project, holds significant authority in determining which portions of the source code are integrated into a build or release. In other words, JiaT75 was granted considerable control over the xz Utils project.

In the capacity of project maintainer, JiaT75 initiated commits (sending source code changes to the repository) to the xz Utils project. Crucially, JiaT75 began making a series of commits to the xz Utils project from February 2024 onwards, which marked the inception of the backdoor.

Malicious Code Unveiled

In addition to maneuvering to attain maintainer status for the xz Utils project, JiaT75's approach to instituting the backdoor appears to have been highly sophisticated.

For instance, a portion of the backdoor exploit is exclusively embedded within the distributed tarballs (a collection of files bundled into a single file and compressed), while a significant portion of the exploit is concealed within files within a test directory. Without delving too deeply into technical intricacies, a script unpacks malicious test data, which is then utilized to manipulate the build process (such as compilation).

Under certain conditions, an individual possessing a specific private key could hijack sshd (the executable responsible for facilitating SSH connections).

Summary

While this narrative continues to unfold, it is evident that one or more individuals associated with JiaT75 seem to have orchestrated a long-term strategy to surreptitiously introduce malicious code into a widely utilized open-source project.