- Years in the making, an open-source software supply chain attack was recently thwarted by an engineer after discovering it by chance.
- An open-source software maintainer was socially engineered to onboard a malicious actor as a co-maintainer for a popular Linux library, XZ Utils, which was then compromised with a backdoor.
- The attack, possibly planned and under execution since at least 2021 to target several Linux distributions, could have proven catastrophic had it not been discovered in time.
Late last month, a Microsoft engineer who volunteers for RDBMS PostgreSQL caught what is described as one of “the best executed supply chain attack we’ve seen described in the open.”
Andre Freund’s inquisitiveness led to the discovery of a highly critical backdoor in XZ Utils, a compression and decompression library ubiquitous to Linux systems in nearly all distributions. Specifically, the backdoor was discovered in the liblzma software package of XZ Utils, a dependency of OpenSSH sshd in several Linux distros.
The backdoor, now being tracked as a vulnerability – CVE-2024-3094 – with a CVSS rating of 10 (highest possible), allows unauthenticated…
