Here we go: https://www.bleepingcomputer.com/news/security/red-hat-warns-of-backdoor-in-xz-tools-used-by-most-linux-distros/

As I said, the impact here will be very limited due to how quick it was caught. Everybody owes the finder a beer.

Back in 2022 a host of characters appeared and basically bullied the creator of the XZ project to hand it over to somebody else - at the time the guy cited mental health issues around not updating the project quickly.

At the time he was already talking about maybe handing over to the account who years later introduced the backdoor.

In mid 2023 said account introduced a change to Google’s OSS Fuzzer to weaken detection for XZ.

Somebody played a years long game of Jenga and lost.

Before everybody high fives each other, this is how the backdoor was found: somebody happened to look at why CPU usage had increased in sshd, and did all the research and notification work themselves. By this point the backdoor had been there for a month unnoticed.

I’ve made the joke before that if GCHQ aren’t introducing backdoors and vulns in open source that I want a tax refund. It wasn’t a joke. And it won’t be just be GCHQ.

https://mastodon.social/@AndresFreundTec/112180406142695845