Malicious code in XZ supply chain and releases

Post by **barbaz** » Sat Mar 30, 2024 8:48 pm

https://security.archlinux.org/CVE-2024-3094
https://arstechnica.com/security/2024/0 ... nnections/
https://gist.github.com/thesamesam/2239 ... 78baad9e27

Post by **barbaz** » Sun Mar 31, 2024 4:11 pm

Now this is interesting: Someone is making the point that because affected versions of xz-utils are GPL-licensed, the malware author and the xz-utils project are both legally required to provide the full source code for the malware (which was distributed only in obfuscated binary form) - ~~github.com/tukaani-project/.github/issues/2~~

EDIT Broke dead link as both that issue and the account that posted it appear to have been deleted.

Post by **therube** » Tue Apr 02, 2024 3:26 pm

A Microcosm of the interactions in Open Source projects

[User canned by moderator] · Sat May 10, 2025 12:24 pm

This incident with malicious code in the XZ supply chain highlights just how vulnerable even widely trusted software can be. It’s a strong reminder that the software supply chain needs more rigorous auditing and better transparency across all levels. What's particularly concerning is how long this backdoor went unnoticed, showing the limits of our current review processes.

As the industry continues to move toward digital transformation, it's becoming more critical than ever to integrate stronger security practices into every stage of development and deployment.

InformAction Forums

Malicious code in XZ supply chain and releases

Malicious code in XZ supply chain and releases

Re: Malicious code in XZ supply chain and releases

Re: Malicious code in XZ supply chain and releases

Re: Malicious code in XZ supply chain and releases