2024-04-03
xz is part of just about every Unix-y operating system (macOS included). Had it gone undetected, this tainted version of xz would have enabled an as-yet-unidentified group the ability to take over up to hundreds of thousands of servers worldwide. (2/3)
research!rsc
A timeline of the attack on open-source project XZ Utils, which began in late 2021 and led to a backdoor with RCE in Linux distros Debian, Red Hat, and others
Over a period of over two years, an attacker using the name “Jia Tan” worked as a diligent, effective contributor to the xz compression library …