BrianKrebsApr 3, 2024

One of the more interesting graphics I've seen regarding the XZ backdoor is a representation of Jia Tan's commits over time. Notice how the commits in question were done well outside the normal times this user committed code in the past.

Does this lend credence to the notion that somehow the Jia Tan account was hijacked? Maybe. Or maybe it just means the attackers got sloppy at the tail end of a 2 year op for unknown reasons, like they were up against a hard deadline that was tied to something happening IRL.

I'm curious what the prevailing theory is here.

Show threadGeoff Simmons
@briankrebs IIRC around the same time, sock puppets re-appeared to lobby for inclusion of the backdoored version in at least Debian unstable. I think @rotopenguin has pointed to the most plausible answer. The proposed PR for systemd meant that the window for the exploit would be limited. If they could get it into the next Debian release, and possibly the Ubuntu update in April, at least it would be in the wild for a few months. They were running out of time.
Apr 3, 2024 at 6:37pmWeb