A supply chain attack involving backdoored versions of the XZ Utils data compression library has impacted several major Linux distributions.
Andres Freund, a Microsoft software engineer who discovered the backdoor, explains that the malicious code was introduced in the tarball download package for XZ Utils version 5.6.0, which was released in February 2024. Version 5.6.1 was released shortly after, with updated malicious code that included more obfuscation and fixes for errors that occurred in some configurations.
The code was intended to run at the end of a script and modify the liblzma library, which is part of the XZ Utils package, to allow unauthenticated access to the system.
For more such updates follow us on Google News ITsecuritywire News. Please subscribe to our Newsletter for more updates.
