Major Open-Source Backdoor Prompts Security Warning

The vulnerability, identified as CVE-2024-3094, received the highest possible CVSS score of 10.0. It was discovered by Microsoft developer Andres Freund on March 29, 2024, who noticed unusual CPU usage and errors in a memory debugging tool while investigating a 500-millisecond performance delay in SSH logins on a Debian system. The backdoor was introduced by a user known as "Jia Tan" (JiaT75), who began contributing to the xz project in 2022. Over two years, Jia Tan built credibility, eventually becoming a co-maintainer. This individual, likely a pseudonym, used sock puppet accounts to pressure the original maintainer into granting them more control. The malicious code was inserted into xz versions 5.6.0 and 5.6.1. It was designed to allow an attacker with a specific private Ed448 key to execute arbitrary code remotely by hijacking the OpenSSH authentication process. The attack was sophisticated, with the malicious payload hidden in test files and only activated during the package build process, meaning it wasn't present in the public git repository. Fortunately, the compromised versions had not been widely deployed into the stable releases of major Linux distributions. Affected distributions included development versions of Fedora, Debian, openSUSE, and Arch Linux. The incident has been described as a "watershed moment" for software supply chain security and has raised concerns about the reliance on unpaid volunteers to maintain critical internet infrastructure.