Supply Chain2024-03-29

xz Utils: A Two-Year Social Engineering Job

A maintainer spent two years earning trust in an open-source project just to slip a backdoor into the build process. This wasn't hacking. This was patience.

My take

People keep calling this sophisticated. It's not. It's a person who showed up, did the work, gained commit access, and poisoned the supply chain. The scary part isn't the technique, it's that the entire model of open-source trust made it easy. We hand the keys to anyone who sticks around long enough.

Terminal

~/security/notes

# checking xz version on a debian system
$ xz --version
xz (XZ Utils) 5.6.1
liblzma 5.6.1
# 5.6.0 and 5.6.1 contain the backdoor
# check if sshd links against liblzma
$ ldd $(which sshd) | grep lzma
liblzma.so.5 => /lib/x86_64-linux-gnu/liblzma.so.5 (0x00007f1234567000)
# if this returns a match, your sshd is linked to the compromised library
# downgrade immediately: apt install xz-utils=5.4.5-0.3

Takeaway

Pin your dependencies. Audit your maintainers. Stop assuming that open source means someone else already checked.

← All Notes Discuss