News Minimalist logo

Backdoor discovered in XZ Utils by Microsoft developer

The Intercept April 4, 2024, 12:00 AM UTC

Summary: Microsoft developer Andres Freund discovered a backdoor in XZ Utils, a widely used data compression utility in Linux-based applications. The backdoor, introduced by user Jia Tan, could compromise systems. Tan gained trust in the XZ project, eventually becoming a co-maintainer. U.S. intelligence agencies are investigating. GitHub disabled Tan's account. The open-source nature of the project allowed for the backdoor's discovery before distribution.

Full article

Article metrics

The article metrics are deprecated.

I'm replacing the original 8-factor scoring system with a new and improved one. It doesn't use the original factors and gives much better significance scores.

Timeline:

  1. [5.6]
    Volunteer engineer finds cybersecurity threat in XZ Utils (The Japan Times)
    151d 16h

    ScoresSource
  2. [5.5]
    XZ Utils backdoored for covert SSH access on Linux (Help Net Security)
    152d 12h

    ScoresSource
  3. [5.6]
    Malicious code found in XZ Utils on Good Friday (The Guardian)
    154d 10h

    ScoresSource
  4. [6.6]
    Andres Freund prevented cybersecurity breach in XZ Utils software (The Hindu)
    154d 20h

    ScoresSource
  5. [5.6]
    Andres Freund uncovers sabotage in XZ Utils, preventing crisis (The Japan Times)
    155d 0h

    ScoresSource
  6. [5.9]
    Free online scanner detects XZ Utils backdoor in Linux (TechRadar)
    157d 9h

    ScoresSource
  7. [6.2]
    Linux narrowly avoided cyber attack from XZ Utils backdoor (The Verge)
    158d 1h

    ScoresSource
  8. [5.7]
    Supply chain attack targets XZ Utils in Linux distributions (Cybersecurity Dive)
    158d 3h

    ScoresSource
  9. [7.2]
    Backdoor in XZ Utils allows unauthorized root access (WIRED)
    158d 16h

    ScoresSource
  10. [5.9]
    Backdoor in XZ Utils poses security risk in Linux (Nextgov/FCW)
    159d 9h

    ScoresSource
  11. [5.8]
    Critical Linux vulnerability; update XZ Utils before 5.6.0 (IT World Canada)
    159d 13h

    ScoresSource
  12. [5.9]
    Backdoor found in xz Utils for Linux systems (Ars Technica)
    159d 18h

    ScoresSource
  13. [6.3]
    Critical xz package vulnerability discovered on Debian, CVE-2024-3094 (TechRadar)
    160d 4h

    ScoresSource
  14. [5.9]
    XZ Utils compromised by maintainer "Jia Tan." (Help Net Security)
    160d 6h

    ScoresSource
  15. [6.6]
    Critical XZ Utils vulnerability allows unauthorized system access (Help Net Security)
    160d 17h

    ScoresSource
  16. [5.9]
    Critical security flaw in xz-utils threatens Linux and macOS (Security Boulevard)
    160d 20h

    ScoresSource
  17. [5.5]
    Malicious code in xz libraries poses security threat (The New Stack)
    161d 6h

    ScoresSource
  18. [4.3]
    Backdoor in xz compression utility version 5.6.0 discovered (SC Media)
    162d 1h
    Source
  19. [4.1]
    Backdoor found in xz Utils 5.6.0/5.6.1, affecting Linux distributions (Ars Technica)
    162d 5h
    Source
  20. [6.1]
    Critical XZ Utils vulnerability (CVE-2024-3094) compromises Linux systems (Help Net Security)
    162d 7h

    ScoresSource