What we know about the xz Utils backdoor that almost infected the world

Great article about the newly discovered xz Utils backdoor by a MS employee.Dan Goodin breaks down how this happened in a tldr fashion.


This is a nicely made article with a lot of details. I hadn’t seen this one yet so thanks for sharing. There is a lot of super interesting and terrifying info about this attack that has far reaching implications.

Though this article says “Malicious updates made to a ubiquitous tool were a few weeks away from going mainstream.” It was not a few weeks away from going mainstream. At best, it was months away since all of the distros that were targeted are months away from potential implementation like Fedora 41 (October) [CentOS / RHEL much much later] or Ubuntu 24.10 (October). The most problematic would probably have been openSUSE Tumbleweed because of it being rolling and still widely used and part of the target criteria. That might seem pedantic as that doesnt really matter because it would have been catastrophic either way but it wasn’t “right around the corner”. In fact, systemd was implementing potential changes that would have likely broken the attack before those distros pushed out the backdoor if that were to happen so who knows but yea lots of nuance here.

1 Like