Skip to content

xz utils (2024)

The Lesson: Trust is transitive. Even careful projects can be compromised through patient social engineering.

Years of Patience

This one still keeps me up at night. The attacker spent years building trust. Legitimate contributions. Helpful responses. And all the while, they were waiting for the right moment to insert a backdoor into SSH infrastructure across the internet. They almost succeeded.

What Happened

On March 29, 2024, Andres Freund—a PostgreSQL developer and Microsoft engineer—posted to the oss-security mailing list.1 He'd been debugging SSH performance issues and stumbled onto something unexpected: a backdoor in xz utils, a compression library embedded in SSH servers across Linux distributions.

The backdoor wasn't a hasty injection. It was sophisticated, carefully hidden, and years in the making. And it had been inserted by someone the project trusted: a maintainer named "Jia Tan."2

The Attack

xz utils (previously LZMA Utils) is a compression library and command-line tool. It's not glamorous software—most users never interact with it directly. But it's embedded everywhere: in systemd, in SSH, in package managers, in countless Linux utilities. Compromise xz, and you compromise the systems that depend on it.

The attack unfolded over years:

2021: An account named "Jia Tan" begins contributing patches to xz utils. The contributions are helpful, uncontroversial.

2022: Pressure campaigns begin on the existing maintainer, Lasse Collin, to add another maintainer. Accounts that appear to be sockpuppets complain about slow patch reviews, suggest Collin is overwhelmed, advocate for giving commit access to helpful contributors like Jia Tan.

2022-2023: Jia Tan gains increasing trust and commit access. Contributions continue to be legitimate.

February 2024: Jia Tan introduces obfuscated malicious code into the build system—not the source code proper, but the release tarballs. The backdoor targets SSH authentication, specifically on systems using systemd.2

March 2024: The backdoored versions (5.6.0 and 5.6.1) begin shipping in Linux distributions. Fedora Rawhide and Debian unstable include them.

March 29, 2024: Freund's post reveals the backdoor. Distributions scramble to revert. CVE-2024-3094 is assigned with a CVSS score of 10.0.3

Why It Almost Worked

The attack was caught by accident. Freund was investigating a 500ms slowdown in SSH connections—a performance regression, not a security audit. Had the backdoor not caused that telltale latency, it might have reached stable releases of major distributions.2

Several factors made the attack viable:

Single-maintainer projects are vulnerable. Collin maintained xz utils essentially alone. When he was pressured—by what appeared to be multiple community members—to add help, the request seemed reasonable. The attackers exploited maintainer burnout as an attack vector.

Trust transferred without verification. Once Jia Tan had commit access, the project's existing trust was extended to them. Code review happened, but sophisticated attackers can pass code review. The malicious code was specifically designed to evade detection, hidden in test files that looked like binary blobs.

Build systems are trusted. The backdoor wasn't in the source repository that security researchers might audit. It was in the release tarballs generated by the build system. Distributions trusted those tarballs because they trusted the project.

Infrastructure code is invisible. xz utils isn't exciting. It doesn't have CVE bounties or security audits. It's the plumbing—reliable, boring, unexamined. That made it an attractive target.

What Didn't Happen

The attack was detected before reaching stable releases of most major distributions. But the margin was thin:

  • Fedora 40 (beta) had the vulnerable version
  • Debian unstable and testing had it
  • Some Arch and openSUSE builds had it
  • Production systems were days to weeks away from exposure

If not for a performance regression—an accident—the backdoor would have been sitting in SSH servers across the internet.

What Changed

The xz incident intensified conversations that log4shell had started:

Maintainer vetting is hard. How do you verify that a helpful contributor is who they claim to be? Jia Tan had years of legitimate contributions. The account passed every heuristic for trustworthiness. The industry still lacks good answers.

Build system security matters. The backdoor targeted release artifacts, not source code. This highlighted the gap between "auditing the source" and "securing the build."

Binary blobs in test data are risky. The malicious payload was hidden in what appeared to be test fixture files. This has renewed scrutiny of non-source-code files in repositories.

Single-maintainer projects are systemic risk. Critical infrastructure depending on overwhelmed volunteers isn't just a sustainability problem—it's a security problem.

The Proof

I've been saying for years that maintainer burnout is a security issue. Here's the proof.

What the xz attackers understood—and what the industry is still learning—is that open source trust models assume good faith. They work remarkably well when that assumption holds. But they have no defense against patient, sophisticated adversaries willing to invest years in building trust.

Jia Tan didn't break into anything. They were given the keys. By a maintainer who was overwhelmed, under pressure, and trying to do the right thing by accepting help.

The hardest part of this incident isn't the technical remediation. It's the question it raises: Who can you trust? The answer used to be "the maintainers." Now it's "the maintainers, probably, if they haven't been pressured into adding someone they shouldn't trust." That's not a good answer.

We need better answers. Better funding for critical infrastructure. Better tooling for provenance and build verification. Better support for maintainers so they're not vulnerable to social engineering. But mostly, we need to stop being surprised when the systems we build on trust are compromised by people who abuse trust. That's not a bug in the model. It's a feature that adversaries can exploit.

Timeline

Date Event
2021 "Jia Tan" begins contributing to xz utils
2022 Pressure campaigns for new maintainers; Jia Tan gains commit access
2022-2024 Continued legitimate contributions
February 24, 2024 xz 5.6.0 released with backdoor
March 9, 2024 xz 5.6.1 released
March 29, 2024 Andres Freund discloses backdoor
March 29, 2024 CVE-2024-3094 assigned (CVSS 10.0)
March 30, 2024 Major distributions begin reverting

  1. See xz Utils Backdoor 

  2. See xz Utils Backdoor Analysis 

  3. NIST. "CVE-2024-3094 Detail." National Vulnerability Database. March 2024. https://nvd.nist.gov/vuln/detail/CVE-2024-3094