An in‑depth investigation reveals how a lone maintainer of the ubiquitous XZ compression library was psychologically pressured, infiltrated by a fake contributor, and ultimately used to plant a CVE‑2024‑3094 backdoor that threatened billions of Linux servers worldwide.
A severe backdoor discovered in XZ Utils versions 5.6.0 and 5.6.1 (CVE‑2024‑3094) allows unauthorized remote code execution via SSH, affecting major Linux distributions such as Debian testing, Fedora Rawhide, Arch, and openSUSE, and users are urged to upgrade immediately.
Red Hat’s emergency advisory (CVE‑2024‑3094) warns that malicious code was inserted into xz‑utils 5.6.0/5.6.1, creating a remote‑access backdoor that affects only Fedora 41 and Rawhide, traced to attacker JiaT75 who compromised the Tukaani project for three years before GitHub disabled the repository.
Red Hat's urgent security advisory reveals that the latest xz 5.6.0/5.6.1 tools and libraries contain sophisticated malicious code that can grant unauthorized remote access, impacting Fedora 40, Fedora 41, and Rawhide while leaving all RHEL versions unaffected.
