The backdoor was found by Microsoft software engineer Andres Freund, who also notes that the harmful code was included in the tarball distribution package of XZ Utils version 5.6.0, which was made available in February 2024.
Shortly after, version 5.6.1 of the malicious code was made public, with remedies for issues that were happening in certain configurations as well as more obfuscation.
The XZ Utils package’s liblzma library is modified by the code, which is meant to run at the conclusion of a script and grant unauthorised access to the system. Red Hat assigns a 10/10 CVSS score to the problem, which is tracked as CVE-2024-3094.
As of right now, Fedora Rawhide and Fedora Linux 40 beta (but not Red Hat Enterprise Linux), openSUSE Tumbleweed and openSUSE MicroOS, Kali Linux, and Arch Linux are the Linux distributions that have been positively impacted by the attack.
Backdoored packages were not present in any stable edition of Debian or Ubuntu, and Linux Mint, Gentoo Linux, Amazon Linux, and Alpine Linux are unaffected.
A free backdoor detector dubbed XZ.fail, developed by software supply chain business Binarly, features general IFUNC insertion detection with nearly no false-positives. Based on behavioural research, Binarly’s detection system may automatically identify any invariants in the event that a backdoor of a similar nature is installed elsewhere.