What we know about the xz Utils backdoor that almost infected the world

Discovery and Exploit Mechanics

  • The backdoor was found incidentally via odd Valgrind behavior and performance regressions in SSH; people note this was largely luck, not systematic review.
  • Backdoor path: xz → liblzma → libsystemd (or other consumers) → sshd, via dynamic linking and glibc IFUNC plus audit hooks to hijack RSA-related calls.
  • The malicious payload was hidden in test artifacts and build scripts, triggered only in .deb/.rpm build environments and when loaded into sshd at runtime, with checks to evade debugging and non-“natural” starts.
  • Clarification that OpenSSH itself doesn’t use xz directly; distro-specific patches and transitive dependencies enabled the attack path.

Attribution and Attacker Profile

  • Heavy debate whether the attacker was a lone, highly motivated individual versus a state-backed or contracted team.
  • Some participants analyze commit timestamps and time zones, suggesting deliberate obfuscation and day-job-like work patterns, but attribution remains explicitly “unclear.”
  • Many note multiple plausible states or non-state groups; others warn against over-focusing on any nationality without evidence.

Maintainer Handoff and Social Engineering

  • The original xz maintainer was overworked and unwell; a new contributor gradually gained trust, took on more work, and effectively became de facto maintainer.
  • Discussion highlights gaslighting‑style pressure, “helper” rhetoric, and long-term relationship building as part of a coordinated social attack.
  • Several argue that knowing someone personally or via calls is not a reliable safeguard, though others think in‑person or video presence raises the bar.

Impact and Distribution Scope

  • Backdoored versions shipped for weeks in some rolling-release distros (e.g., Arch-derived, Gentoo, openSUSE Tumbleweed), but payload logic only targeted deb/rpm-style builds; many believe it never reached the widest “enterprise” deployments.
  • Some worry the real objectives may already have been met, especially on developer or security-focused distros; others think exposing it now massively increases scrutiny and deterrence.

Supply Chain and Tooling Lessons

  • Strong criticism of autotools and giant generated configure scripts: opaque, hard to review, and ideal hiding places for malicious logic.
  • Suggestions:
    • Stop shipping source tarballs that differ from VCS; or at least verify tarballs are reproducible from git.
    • Commit all compiler inputs, or enforce that generated artifacts are reproducible and checked in CI.
    • Test build scripts themselves and treat unusual Valgrind/ASan/CI failures as potential red flags.

Dependencies, Systemd, and Attack Surface

  • Repeated concern that libsystemd (and similar “kitchen sink” libs) are large, complex, and pulled in transitively for small features like startup notification.
  • Some argue systemd is unfairly scapegoated; alternatives (libc, libnss, SELinux, other ubiquitous libs) could have been abused similarly.
  • Ideas floated: dlopen compressors to narrow when libraries are loaded; minimize base OS and push more into containers; reduce unnecessary dependencies and avoid “one big library for everything.”

Open Source Model, Funding, and Governance

  • Diverging interpretations:
    • One camp says this demonstrates open source works because the bug was ultimately found and analyzed quickly.
    • Another calls it a “massive failure” of the OSS model, especially around trust, single‑maintainer projects, and social attack resistance.
  • Broad agreement that critical libraries with huge installation bases should not be maintained by an underfunded individual; calls for sustained funding and institutional support.
  • Debate over whether governments or large companies will respond by:
    • Investing more in OSS maintenance and audits, versus
    • Retreating into proprietary software and “security theater” vendors.
  • Some propose formal vetting or “KYB/KYC‑like” practices for core maintainers, others argue this is impractical, biased, and shifts blame from downstream users who choose dependencies.

Future Defenses and Open Questions

  • Proposed improvements include: formal verification for core components, deterministic and signed builds, better static analysis, LLM‑assisted review, richer dependency graphs, and stricter separation of test resources from production code.
  • Network-layer mitigations (e.g., IP whitelisting, port knocking) are noted as effective in limiting exploitability of an sshd backdoor, though framed as only one defense layer.
  • Many expect more similar backdoors to be uncovered as projects re‑audit history; some speculate successful past attacks may already have been quietly “cleaned up.”