In a interesting discovery that sent a series of shockwaves through the Linux community, Andres Freund, Principal Software Engineer at Microsoft, located a malicious backdoor in the widely used compression tool called "xz Utils." The backdoor, introduced in versions 5.6.0 and 5.6.1 of the utility, can break the robust encryption provided by the Secure Shell (SSH) protocol, allowing unauthorized access to affected systems. What Andres Freund found is that the latest version of xz Utils is taking 0.5 seconds in SSH on his system, while the older system with the older version took 0.1 seconds for simple processing, prompting the user to investigate and later send a widespread act for caution. While there are no confirmed reports of the backdoored versions being incorporated into production releases of major Linux distributions, the incident has raised serious concerns among users and developers alike.
Red Hat and Debian, two of the most well-known Linux distribution developers, have reported that their recently published beta releases, including Fedora 40, Fedora Rawhide, and Debian testing, unstable, and experimental distributions, used at least one of the affected versions of xz Utils. According to Red Hat officials, the first signs of the backdoor were introduced in a February 23 update, which added obfuscated (unreadable) code to xz Utils. A subsequent update the following day introduced functions for deobfuscating the code and injecting it into code libraries during the utility's update process. The malicious code has been cleverly hidden only in the tarballs, which target upstream releases of Linux distributions.