"On March 29, 2024, Andres Freund, a Microsoft software developer, emailed Openwall informing the community of the discovery of an SSH backdoor in XZ Utils 5.6.0 and 5.6.1 (CVE-2024-3094). XZ Utils is a suite of open-source software that provides developers with lossless compression. The tool is very widely distributed as it comes installed by default on most Linux distributions and macOS systems.
The SSH backdoor in XZ Utils can be categorized as a supply chain attack, where the story of how XZ Utils got infected can be traced back to Feb 2022, when a user, Jia Tan (JiaT75), started his first commit to the XZ Github repository. From then, Tan slowly built trust with the original author of the XZ project by contributing to the project and using fake accounts to pressure the author. After Tan received the maintaining permissions for the repository, a few changes to XZ Utils, including a binary backdoor, were included as part of release 5.6.0.
In this talk, I will walk you through the complete story of how XZ Utils was found compromised and how the attacker slowly gained trust and finally launched his backdoor to the wild. I will also briefly talk about other popular supply chain attacks and what we can learn from all these stories."