{"id":92465,"date":"2024-04-01T08:24:35","date_gmt":"2024-04-01T12:24:35","guid":{"rendered":"https:\/\/staging.checkmarx.com\/?p=92465"},"modified":"2025-01-03T10:36:11","modified_gmt":"2025-01-03T08:36:11","slug":"backdoor-discovered-in-xz-the-most-advanced-supply-chain-attack-known-to-date","status":"publish","type":"zero-post","link":"https:\/\/checkmarx.com\/blog\/backdoor-discovered-in-xz-the-most-advanced-supply-chain-attack-known-to-date\/","title":{"rendered":"Backdoor Discovered in xz: The Most Advanced Supply Chain Attack Known to\u00a0Date"},"content":{"rendered":"<p>The xz project, a tool used by many Linux distributions for compressing files, was compromised by a malicious actor who gradually took over the project and inserted a backdoor.<\/p>\n\n\n\n<p>The attack, discovered accidently on March 29, 2024, by a developer named Andres Freund, during performance testing, was carried out over several years by the GitHub account Jia Tan (JiaT75), who gained the trust of the long-time maintainer of the xz project and eventually replaced them as the main point of contact.<\/p>\n\n\n\n<p>The backdoor was added in versions 5.6.0 and 5.6.1 of xz Utils, a software package that includes the xz library. This backdoor allows attackers unauthorized access on systems that have the compromised versions installed.<\/p>\n\n\n\n<p>The impact of this backdoor is significant because of xz\u2019s use in many systems around the world, including popular Linux distributions like Red Hat and Debian.<\/p>\n\n\n\n<p>In this blog post, we will provide a timeline of the events, look at the key people involved, and discuss what this incident means for the open-source community and the importance of maintaining the security and integrity of widely-used software libraries.<\/p>\n\n\n\n<h2 class=\"wp-block-heading article-anchor\" id=\"article-anchor-1\"><strong>Key Findings<\/strong><\/h2>\n\n\n\n<ul class=\"wp-block-list\">\n<li>xz, a widely-used compression library, was compromised with a backdoor (<a href=\"https:\/\/nvd.nist.gov\/vuln\/detail\/CVE-2024-3094\">CVE-2024-3094<\/a>) that allows forunauthorized access&nbsp;on systems with compromised versions (5.6.0 and 5.6.1) installed.<\/li>\n\n\n\n<li>The attack was carried out over several years by a user named Jia Tan (JiaT75), who gradually gained maintainer status after continuous pressure from unknown accounts on the long-time maintainer, Lasse Collin, to add a new maintainer and approve Jia Tan&#8217;s patch.<\/li>\n\n\n\n<li>The widespread use of xz in Linux distributions makes the impact of the backdoor significant.<\/li>\n\n\n\n<li>The backdoor was&nbsp;<strong>accidentally<\/strong>&nbsp;discovered on March 29, 2024, by the developer Andres Freund.<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading article-anchor\" id=\"article-anchor-2\"><strong>Gaining Reputation Over Time<\/strong><\/h2>\n\n\n\n<figure class=\"wp-block-image size-full\"><img decoding=\"async\" src=\"https:\/\/checkmarx.com\/wp-content\/uploads\/2024\/04\/image-1-1.png\" alt=\"\" class=\"wp-image-95085\"><\/figure>\n\n\n\n<p>The xz compression library, a widely-used tool for compressing files, found across Linux distributions, community projects, and commercial products, was compromised by a malicious actor named Jia Tan (JiaT75) who gradually and patiently gained maintainer status in order to pull off the attack, ultimately introducing a backdoor identified as&nbsp;<a href=\"https:\/\/nvd.nist.gov\/vuln\/detail\/CVE-2024-3094\">CVE-2024-3094<\/a>.<\/p>\n\n\n\n<p>The attack began in 2021 when Jia Tan created their GitHub account and began using it for various activities.<\/p>\n\n\n\n<p>In April 2022, Jia Tan submitted a patch to the xz project via a mailing list. Soon after, unknown accounts, including one named Jigar Kumar and another named Dennis Ens , began pressuring the long-time maintainer of xz, Lasse Collin, to merge the patch and add a new maintainer to the project. Lasse Collin, who had limited availability to take care for the project, eventually agreed to add Jia Tan as a maintainer. A decision that is in fact not unusual in the open-source community, where maintainers often hand off projects to others due to various reasons.<\/p>\n\n\n\n<p>Over the next two years, Jia Tan became a regular contributor to the xz project, gaining trust within the community.<\/p>\n\n\n\n<p>By March 2023, Jia Tan had become the primary contact for xz in Google&#8217;s oss-fuzz, a platform for finding vulnerabilities in open-source software.<\/p>\n\n\n\n<h2 class=\"wp-block-heading article-anchor\" id=\"article-anchor-3\"><strong>Most Sophisticated Supply Chain Attack We Know<\/strong><\/h2>\n\n\n\n<p>The backdoor itself was introduced in versions 5.6.0 and 5.6.1 of xz Utils, a software package that includes the xz library. The malicious code allows attackers unauthorized access by infecting the SSH on systems with the compromised versions installed, making it a significant threat to users of the library.<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img decoding=\"async\" src=\"https:\/\/checkmarx.com\/wp-content\/uploads\/2024\/04\/image-11.png\" alt=\"\" class=\"wp-image-95086\"><\/figure>\n\n\n\n<h2 class=\"wp-block-heading article-anchor\" id=\"article-anchor-4\"><strong>A Discovery<\/strong><\/h2>\n\n\n\n<p>The backdoor was accidentally discovered on March 29, 2024, by&nbsp;<a href=\"https:\/\/www.openwall.com\/lists\/oss-security\/2024\/03\/29\/4\">Andres Freund<\/a>&nbsp;during routine performance testing. Freund noticed unusual CPU usage in the sshd process, which led him to investigate further and uncover the malicious code. This accidental discovery, the backdoor could have gone unnoticed for a longer period, effecting a large part of the open-source ecosystem.<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img decoding=\"async\" src=\"https:\/\/checkmarx.com\/wp-content\/uploads\/2024\/04\/image-2-1.png\" alt=\"\" class=\"wp-image-95087\"><\/figure>\n\n\n\n<h2 class=\"wp-block-heading article-anchor\" id=\"article-anchor-5\"><strong>Impact<\/strong><\/h2>\n\n\n\n<p>The impact of the backdoor could have had particularly severe consequences due to the widespread use of xz in compressing critical software components, including popular Linux distributions like Red Hat and Debian. Many systems worldwide rely on xz for compressing and decompressing files, making the potential reach of the backdoor extensive.<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img decoding=\"async\" src=\"https:\/\/checkmarx.com\/wp-content\/uploads\/2024\/04\/image-3-1.png\" alt=\"\" class=\"wp-image-95088\"><\/figure>\n\n\n\n<h2 class=\"wp-block-heading article-anchor\" id=\"article-anchor-6\">&nbsp;<\/h2>\n\n\n\n<h2 class=\"wp-block-heading article-anchor\" id=\"article-anchor-7\">&nbsp;<\/h2>\n\n\n\n<h2 class=\"wp-block-heading article-anchor\" id=\"article-anchor-8\"><strong>Advanced Persistent Threat<\/strong><\/h2>\n\n\n\n<p>The involvement of multiple identities. The complexity of the payload, and the high level of technical expertise required, along with the patience and persistence shown in gradually gaining trust within the xz community over several years before introducing the backdoor. All these are consistent with the capabilities of nation-state actors and are qualities of advanced persistent threats (APTs).&nbsp;<\/p>\n\n\n\n<p>This incident is part of a growing and alarming trend of advanced persistent threats (APTs) targeting critical open-source projects.<\/p>\n\n\n\n<h2 class=\"wp-block-heading article-anchor\" id=\"article-anchor-9\"><strong>Conclusion<\/strong><\/h2>\n\n\n\n<p>The xz compromise highlights the urgent need for the open-source community to improve its security practices and tools to prevent similar attacks in the future. Collaboration, transparency, and shared responsibility are essential to detecting and mitigating advanced persistent threats (APTs) targeting critical open-source projects.&nbsp;<\/p>\n\n\n\n<p>We, the community must develop more effective strategies, to strengthen the security of open source software. By learning from this incident and taking proactive measures, the open-source community can build a more resilient and trustworthy ecosystem, ensuring the long-term success and integrity of open source projects in the face of ever-evolving cybersecurity threats.<\/p>\n\n\n\n<p>Working together to keep the opensource ecosystem safe.<\/p>","protected":false},"excerpt":{"rendered":"<p>The xz project, a tool used by many Linux distributions for compressing files, was compromised by a malicious actor who gradually took over the project and inserted a backdoor. The attack, discovered accidently on March 29, 2024, by a developer named Andres Freund, during performance testing, was carried out over several years by the GitHub [&hellip;]<\/p>\n","protected":false},"author":19,"featured_media":92470,"template":"","zero-category":[1067],"zero-tag":[1085,1068,1073,1074,1070,1071],"class_list":["post-92465","zero-post","type-zero-post","status-publish","has-post-thumbnail","hentry","zero-category-blog","zero-tag-breaking-news","zero-tag-checkmarx-security-research-team","zero-tag-english","zero-tag-leadership","zero-tag-open-source-security","zero-tag-supply-chain-security"],"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v27.1.1 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>Backdoor Discovered in xz<\/title>\n<meta name=\"description\" content=\"highlights the potential widespread impact and the sophistication of the attack, while including a call to action.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/checkmarx.com\/blog\/backdoor-discovered-in-xz-the-most-advanced-supply-chain-attack-known-to-date\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Backdoor Discovered in xz\" \/>\n<meta property=\"og:description\" content=\"highlights the potential widespread impact and the sophistication of the attack, while including a call to action.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/checkmarx.com\/blog\/backdoor-discovered-in-xz-the-most-advanced-supply-chain-attack-known-to-date\/\" \/>\n<meta property=\"og:site_name\" content=\"Checkmarx\" \/>\n<meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/Checkmarx.Source.Code.Analysis\" \/>\n<meta property=\"article:modified_time\" content=\"2025-01-03T08:36:11+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/checkmarx.com\/wp-content\/uploads\/2024\/04\/xz-picture.png\" \/>\n\t<meta property=\"og:image:width\" content=\"1045\" \/>\n\t<meta property=\"og:image:height\" content=\"550\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/png\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:site\" content=\"@checkmarx\" \/>\n<meta name=\"twitter:label1\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data1\" content=\"4 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"WebPage\",\"@id\":\"https:\/\/checkmarx.com\/blog\/backdoor-discovered-in-xz-the-most-advanced-supply-chain-attack-known-to-date\/\",\"url\":\"https:\/\/checkmarx.com\/blog\/backdoor-discovered-in-xz-the-most-advanced-supply-chain-attack-known-to-date\/\",\"name\":\"Backdoor Discovered in xz\",\"isPartOf\":{\"@id\":\"https:\/\/checkmarx.com\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/checkmarx.com\/blog\/backdoor-discovered-in-xz-the-most-advanced-supply-chain-attack-known-to-date\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/checkmarx.com\/blog\/backdoor-discovered-in-xz-the-most-advanced-supply-chain-attack-known-to-date\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/checkmarx.com\/wp-content\/uploads\/2024\/04\/xz-picture.png\",\"datePublished\":\"2024-04-01T12:24:35+00:00\",\"dateModified\":\"2025-01-03T08:36:11+00:00\",\"description\":\"highlights the potential widespread impact and the sophistication of the attack, while including a call to action.\",\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/checkmarx.com\/blog\/backdoor-discovered-in-xz-the-most-advanced-supply-chain-attack-known-to-date\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/checkmarx.com\/blog\/backdoor-discovered-in-xz-the-most-advanced-supply-chain-attack-known-to-date\/#primaryimage\",\"url\":\"https:\/\/checkmarx.com\/wp-content\/uploads\/2024\/04\/xz-picture.png\",\"contentUrl\":\"https:\/\/checkmarx.com\/wp-content\/uploads\/2024\/04\/xz-picture.png\",\"width\":1045,\"height\":550},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/checkmarx.com\/#website\",\"url\":\"https:\/\/checkmarx.com\/\",\"name\":\"Checkmarx\",\"description\":\"The world runs on code. We secure it.\",\"publisher\":{\"@id\":\"https:\/\/checkmarx.com\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/checkmarx.com\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/checkmarx.com\/#organization\",\"name\":\"Checkmarx\",\"url\":\"https:\/\/checkmarx.com\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/checkmarx.com\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/checkmarx.com\/wp-content\/uploads\/2024\/02\/logo-dark.svg\",\"contentUrl\":\"https:\/\/checkmarx.com\/wp-content\/uploads\/2024\/02\/logo-dark.svg\",\"width\":1,\"height\":1,\"caption\":\"Checkmarx\"},\"image\":{\"@id\":\"https:\/\/checkmarx.com\/#\/schema\/logo\/image\/\"},\"sameAs\":[\"https:\/\/www.facebook.com\/Checkmarx.Source.Code.Analysis\",\"https:\/\/x.com\/checkmarx\",\"https:\/\/www.youtube.com\/user\/CheckmarxResearchLab\",\"https:\/\/www.linkedin.com\/company\/checkmarx\"]}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Backdoor Discovered in xz","description":"highlights the potential widespread impact and the sophistication of the attack, while including a call to action.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/checkmarx.com\/blog\/backdoor-discovered-in-xz-the-most-advanced-supply-chain-attack-known-to-date\/","og_locale":"en_US","og_type":"article","og_title":"Backdoor Discovered in xz","og_description":"highlights the potential widespread impact and the sophistication of the attack, while including a call to action.","og_url":"https:\/\/checkmarx.com\/blog\/backdoor-discovered-in-xz-the-most-advanced-supply-chain-attack-known-to-date\/","og_site_name":"Checkmarx","article_publisher":"https:\/\/www.facebook.com\/Checkmarx.Source.Code.Analysis","article_modified_time":"2025-01-03T08:36:11+00:00","og_image":[{"width":1045,"height":550,"url":"https:\/\/checkmarx.com\/wp-content\/uploads\/2024\/04\/xz-picture.png","type":"image\/png"}],"twitter_card":"summary_large_image","twitter_site":"@checkmarx","twitter_misc":{"Est. reading time":"4 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"WebPage","@id":"https:\/\/checkmarx.com\/blog\/backdoor-discovered-in-xz-the-most-advanced-supply-chain-attack-known-to-date\/","url":"https:\/\/checkmarx.com\/blog\/backdoor-discovered-in-xz-the-most-advanced-supply-chain-attack-known-to-date\/","name":"Backdoor Discovered in xz","isPartOf":{"@id":"https:\/\/checkmarx.com\/#website"},"primaryImageOfPage":{"@id":"https:\/\/checkmarx.com\/blog\/backdoor-discovered-in-xz-the-most-advanced-supply-chain-attack-known-to-date\/#primaryimage"},"image":{"@id":"https:\/\/checkmarx.com\/blog\/backdoor-discovered-in-xz-the-most-advanced-supply-chain-attack-known-to-date\/#primaryimage"},"thumbnailUrl":"https:\/\/checkmarx.com\/wp-content\/uploads\/2024\/04\/xz-picture.png","datePublished":"2024-04-01T12:24:35+00:00","dateModified":"2025-01-03T08:36:11+00:00","description":"highlights the potential widespread impact and the sophistication of the attack, while including a call to action.","inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/checkmarx.com\/blog\/backdoor-discovered-in-xz-the-most-advanced-supply-chain-attack-known-to-date\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/checkmarx.com\/blog\/backdoor-discovered-in-xz-the-most-advanced-supply-chain-attack-known-to-date\/#primaryimage","url":"https:\/\/checkmarx.com\/wp-content\/uploads\/2024\/04\/xz-picture.png","contentUrl":"https:\/\/checkmarx.com\/wp-content\/uploads\/2024\/04\/xz-picture.png","width":1045,"height":550},{"@type":"WebSite","@id":"https:\/\/checkmarx.com\/#website","url":"https:\/\/checkmarx.com\/","name":"Checkmarx","description":"The world runs on code. We secure it.","publisher":{"@id":"https:\/\/checkmarx.com\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/checkmarx.com\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/checkmarx.com\/#organization","name":"Checkmarx","url":"https:\/\/checkmarx.com\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/checkmarx.com\/#\/schema\/logo\/image\/","url":"https:\/\/checkmarx.com\/wp-content\/uploads\/2024\/02\/logo-dark.svg","contentUrl":"https:\/\/checkmarx.com\/wp-content\/uploads\/2024\/02\/logo-dark.svg","width":1,"height":1,"caption":"Checkmarx"},"image":{"@id":"https:\/\/checkmarx.com\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/www.facebook.com\/Checkmarx.Source.Code.Analysis","https:\/\/x.com\/checkmarx","https:\/\/www.youtube.com\/user\/CheckmarxResearchLab","https:\/\/www.linkedin.com\/company\/checkmarx"]}]}},"_links":{"self":[{"href":"https:\/\/checkmarx.com\/wp-json\/wp\/v2\/zero-post\/92465","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/checkmarx.com\/wp-json\/wp\/v2\/zero-post"}],"about":[{"href":"https:\/\/checkmarx.com\/wp-json\/wp\/v2\/types\/zero-post"}],"author":[{"embeddable":true,"href":"https:\/\/checkmarx.com\/wp-json\/wp\/v2\/users\/19"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/checkmarx.com\/wp-json\/wp\/v2\/media\/92470"}],"wp:attachment":[{"href":"https:\/\/checkmarx.com\/wp-json\/wp\/v2\/media?parent=92465"}],"wp:term":[{"taxonomy":"zero-category","embeddable":true,"href":"https:\/\/checkmarx.com\/wp-json\/wp\/v2\/zero-category?post=92465"},{"taxonomy":"zero-tag","embeddable":true,"href":"https:\/\/checkmarx.com\/wp-json\/wp\/v2\/zero-tag?post=92465"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}