The whole xz thing is mind boggling.

The story starts two years ago. Lasse Collin is the sole developer maintaining xz as a hobby. xz is a linux utility used widely - nearly every installation of linux has it. Collin was delighted to start receiving help from JiaT75 - someone named Jia Tan. Tan kept fixing bugs, opening pull requests, and generally being helpful. Eventually, Collin had granted Tan access to commit directly to the repository. They were a trusted helper, after all! Tan then took responsibility of managing releases, helping with various security websites interactions with the project, and made life easier for Collin.

This year, Tan helped usher in version 5.6.0 and 5.6.1 of xz. Tan dutifully continued to be helpful and encouraged various linux distribution maintainers to include these new versions - they had security fixes, of course! Some did, some didn’t. Reviewing the code, it was unclear if the security fixes were major enough to warrant updating. This version ended up in “testing” versions of Debian, Redhat, and Kali linux - but these are large distributions used on millions of computers.

By chance, Andre Freund - a linux developer over at Microsoft - became frustrated that their SSH client was taking 500ms longer to connect that day. It wasn’t clear to them why all of a sudden everything was half a second slower, and sure: it wasn’t the end of the world by any means but it was ANNOYING. So they dug. They found something that was surprising.

Unfortunately, Jia Tan was not who they claimed to be. Tan was not just a helpful contributor. Tan was an agent of a nation state with a very specific goal - infiltration. They used their position to hide code inside of xz that could be used to execute arbitrary malicious payloads - and then used their role as security contact to prevent folks from finding it. Version 5.6.0 and 5.6.1 of xz included this code. Nobody noticed - that is, until Andre Freund.

If Andre hadn’t decided to inspect an annoyance this backdoor would have been everywhere. Every bank, every government, most every cell phone. This was all caught because someone didn’t want to wait half a second longer.

The Lasse Collin is currently suggesting to use an old version that doesn’t have ANY of Jia Tan’s code in it - 5.3.1.

Some real spy stuff, right?

Arstechnica has a more detailed write up, and Lasse Collin has some stuff about it on their site - but they’re currently on vacation and won’t be able to do much until they get back.