ADVERTISEMENT

The XZ Backdoor explained

As software projects become more complex, development teams are working to integrate different components from various sources to build their software solutions.

XZ Linux

Image by Cybernews.

Nihad A. Hassan
Nihad A. Hassan Contributor
Apr 5, 2024 4 min read

Technical specifications of the attack

ADVERTISEMENT

Who is behind the backdoor?

XZ backdoor
Figure 1 - Screen capture showing threat actor profile (JiaT75) on the GitHub platform
XZ threat actors
Figure 2 - Threat actors using different GiHub accounts begin to pressure the XZ project owner to add a new maintainer to the repository | Source: https://www.mail-archive.com/[email protected]/msg00566.html
XZ updates
Figure 3 - Threat actor JiaT75 changed the XZ project primary email address to them instead of the original developer email address on March 20th, 2023
XZ docs
Figure 4 - Beginning in 2024, threat actor JiaT75 has complete control over the XZ project domain name
XZ malicious code
Figure 5 - In Feb 2024, JiaT75 added the remaining code files needed to execute the backdoor | Source: https://git.tukaani.org/?p=xz.git;a=commitdiff;h=cf44e4b7f5dfdbf8c78aef377c10f71e274f63c0
ADVERTISEMENT