• Posted by: Michal Zuberek
• September 30, 2024

The XZ Utils Backdoor: A Near-Miss That Rewrote the Rules of Open Source Trust

On March 29, 2024, a Microsoft engineer named Andres Freund posted what would turn out to be one of the most significant security disclosures in recent memory. While investigating an odd 500ms latency spike in SSH connections on his Debian machine, he uncovered a deliberately planted backdoor inside XZ Utils — a compression library present in virtually every major Linux distribution.

The attacker, operating under the alias "Jia Tan," had spent over two years methodically cultivating trust within the XZ Utils open source project. The persona appeared in 2021, made genuine, helpful contributions for months, gradually became a co-maintainer, and only then — after earning full commit access — inserted the payload. It was patient, professional, and nearly invisible.

What made this different from previous supply chain attacks?

Most supply chain compromises target a build server, a package registry, or a vendor's update infrastructure — external systems. XZ Utils was different because the attacker became a trusted insider within the project itself. The backdoor was injected not into the source code in any obvious way, but into the build system's autoconf macros and test files. A code review of the C source alone would not have caught it. An SBOM listing xz-utils as a dependency would not have flagged it. The malicious logic was triggered only during the build process on specific architectures.

What did the backdoor actually do?

The payload specifically targeted sshd on systemd-based Linux systems. By hooking into the RSA key decryption path during SSH authentication, it would allow an attacker holding a specific private key to execute arbitrary code on affected systems — before any login credentials were ever checked. In other words: unauthenticated remote code execution on any internet-facing Linux server running the affected packages.

Caught by accident, not by design

What is perhaps most unsettling is that the backdoor was caught purely by chance — a developer noticing an anomaly in benchmarks, not a security scanner raising an alert. The affected versions (5.6.0 and 5.6.1) had made it into Fedora Rawhide and several rolling-release distributions before the discovery. Had it gone undetected for another few months, the exposure across production Linux infrastructure globally would have been staggering.

The network behavior angle

From a behavioral detection perspective, this attack is a useful case study. The backdoor's purpose was to give an attacker a covert entry point via SSH — a protocol that, by definition, makes outbound and inbound connections. Any unexpected behavior in SSH's connection profile, such as connections to unfamiliar IPs following a pattern inconsistent with normal administrative access, would be a signal worth investigating. Systems that maintain a baseline of what their SSH daemon legitimately communicates with are in a better position to notice when something changes.

The broader lesson

XZ Utils is a warning about the limits of source-level trust. Verifying that code is open source, that it has many contributors, or even that it has been audited before does not protect against a long-running social engineering campaign targeting the maintainers themselves. Complementing code-level scrutiny with runtime behavioral baselines — understanding what a piece of software actually does on the network — adds a layer of detection that is largely independent of how the compromise was introduced.

If you want to know whether software running in your environment is behaving within its expected network profile, or whether a recent update has introduced new and unexpected connections, get in touch. That is exactly the kind of question Peerscope is built to answer.