TLDR:
- Popular Rust Crate liblzma-sys compromised with XZ Utils backdoor files
- Malicious test files removed in version 0.3.3, with previous version pulled from registry
Phylum has revealed that “test files” associated with the XZ Utils backdoor were found in the Rust crate liblzma-sys, which has been downloaded over 21,000 times. The compromised version, 0.3.2, included these files, but they have since been removed in the latest release. The backdoor in XZ Utils was discovered in late March, allowing attackers to remotely execute code by bypassing authentication controls in SSH. The operation behind the backdoor is suspected to be state-sponsored due to its complexity and sophistication. This incident highlights the ongoing threat to open-source package maintainers from social engineering campaigns and software supply chain attacks.
Microsoft engineer Andres Freund identified the malicious commits to the XZ Utils project, impacting versions 5.6.0 and 5.6.1. The backdoor was built to monitor SSH connections and execute commands sent by attackers, potentially leading to remote code execution. This event underscores the importance of maintaining vigilance and security measures in the open-source community to prevent such incidents in the future.