Akamai / CrowdStrike / Wikipedia / Datadog Security Labs

📅 2024-02-24 🔎 CVE-2024-3094

Incident Details

CVSS 10.0. Suspected nation-state actor ‘Jia Tan’ (JiaT75) spent 2+ years cultivating trust in xz-utils project before becoming co-maintainer. Injected SSH authentication bypass/RCE backdoor in versions 5.6.0 and 5.6.1. Backdoor hooks into systemd-linked OpenSSH via malicious shared library. Affected Fedora 40/Rawhide, Debian testing/unstable, openSUSE, Kali Linux, Arch. Discovered March 29 2024 by Microsoft engineer Andres Freund who noticed anomalous CPU usage. Caught before widespread stable distro adoption. State-sponsored attribution suspected but unconfirmed.

Technical Details

Initial Attack Vector: CWE-506: Embedded Malicious Code (multi-year social engineering to gain maintainer status, then injected SSH backdoor into xz-utils)
Software Package: xz-utils
CVE / GHSA References: CVE-2024-3094
Supply Chain Attack: ✅ Confirmed third-party / vendor compromise

Timeline

2024-02-24 Breach occurred
2024-03-29 Publicly disclosed
2024-03-30 Customers notified