How a Hacker Hid a Backdoor in the xz Compression Tool for Over Two Years

Recently a critical vulnerability was discovered in the open‑source compression tool xz. A hacker joined the project as a contributor, spent nearly three years gaining trust and commit rights, and then stealthily inserted a backdoor into the code.

xz is used by the remote‑login daemon sshd, which is present on macOS and Linux, so a compromised xz library could affect a huge number of systems.

The backdoor affects xz versions 5.6.0 and 5.6.1; older versions such as 5.2.10 or 5.2.5 are not vulnerable.

Step‑by‑Step Process

The attacker, using the alias JiaT75, created a GitHub account in 2021, contributed to xz, and earned direct commit privileges while masquerading as a Chinese developer.

In a recent commit, JiaT75 added two test binary files (bad‑3‑corrupt_lzma2.xz and good‑large_compressed.lzma) that look harmless but are processed by the build script under specific conditions, altering the compiled output.

The injected code uses glibc’s IFUNC mechanism to hook OpenSSH’s RSA_public_decrypt function, allowing the attacker to bypass RSA signature verification.

Any program linking both liblzma and OpenSSH—most notably sshd—becomes vulnerable, enabling crafted requests to bypass key verification.

The malicious xz packages have been pushed to Debian testing and are being targeted for inclusion in Fedora and Ubuntu, with the attacker timing submissions just before Ubuntu’s beta freeze to reduce detection time.

The hacker’s infiltration went unnoticed for over two years because the project maintainer frequently disconnects from the internet, leaving no one to review incoming code.

A Slip Revealed

The backdoor contained a subtle bug that caused a CPU spike in sshd under certain conditions. A PostgreSQL developer noticed the spike, performed performance analysis, and discovered a 500 ms delay that led to the backdoor’s exposure.

If not for this coincidence, the backdoor could have spread to countless machines, potentially compromising development workstations worldwide.

The malicious code was added during the packaging build as a make instruction that inserted a “.”, causing the sandbox test to be bypassed and allowing arbitrary shell commands to be executed during compilation.

Conclusion

The attacker spent more than two years infiltrating the open‑source project, rising to a position of high trust before deploying a backdoor that could affect any system using xz and OpenSSH. This case highlights the extreme risk of supply‑chain attacks in widely used open‑source components.