Backdoor attempt on xz Utils likely one of several open-source sabotage attempts, foundations say

Open-source foundations have warned an elaborate, multiyear effort to sneak a backdoor into Linux’s xz data compression library may be the tip of the iceberg.

The Linux world narrowly avoided a potentially catastrophic security situation in late March, when developer Andres Freund discovered that a Linux contributor had snuck obfuscated code into two versions of xz Utils, a compression utility. The manipulated versions were designed to inject malicious functions into Secure Shell (SSH) protool operations.

A programmer using the name Jia Tan, who had made their first open-source contributions in 2021, joined the xz Utils project in 2023, courtesy of community discussions that in retrospect, appear to have been a social engineering pressure campaign. In February 2023, Tan committed malicious code deep in binary test files, which then made its way into development versions of some Linux distributions. Tan also advocated merging the changes into production versions of Ubuntu, Red Hat, and Debian, which would have compromised huge swathes of the Linux ecosystem.

“There was just a few of the more bleeding edge distributions that had this,” Vincent Danen, VP of product security at Red Hat, told IT Brew. “So, the vast majority of systems on the internet today wouldn’t have been exposed to them—unless you were writing beta versions of a couple of distros.”

Danen said the attack may have been the most sophisticated attempt to sneak an exploit into Linux he’d ever seen, making its discovery within two months of introduction all the more impressive.

"In the grand scheme of things, it was actually quite fast,” Danen said. “The fact that it didn’t impact any enterprise, open-source Linux vendor was kind of a testament to the fact that they typically tend to be a little bit long running behind the current version from upstream.”

As ZDNet noted, while speculation that Tan was a state-backed threat actor is rampant, little evidence points to their actual identity.

Now, it appears xz Utils is far from the only open-source project facing similar infiltration attempts.

On April 15, the Open Source Security Foundation and OpenJS Foundation issued a joint statement warning the xz Utils attack “may not be an isolated incident as evidenced by a similar credible takeover attempt intercepted by the OpenJS Foundation, home to JavaScript projects used by billions of websites worldwide.” The statement said the OpenJS Foundation Cross Project Council had received a number of questionable emails, in which the author was seeking to be made a maintainer on “one of its popular JavaScript projects.”

OpenJS team members identified two other likely attempts targeting non-foundation JavaScript projects, according to the statement, and notified leadership as well as the federal government.

While the collaborative, public nature of the open-source community provided the attacker with their opportunity, it may have also thwarted it.

“These social engineering attacks are exploiting the sense of duty that maintainers have with their project and community in order to manipulate them,” the foundations wrote in the statement.

“In a lot of ways, open source worked the way it was intended to work,” Danen told IT Brew. “Open source is very appealing to people who are curious, and then in this case, it was the curiosity that found it.”